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Revision 

Rename  the  Modes  Tests  to  the  Monte  Carlo  Tests  to  coincide  with  all  other 
documents. 

Represent  “through”  as  not 

Draw  a  box  around  the  Triple  DES  operations  in  the  pseudocode  to  indicate  what 
code  is  from  the  Triple  DES  standard  and  what  code  is  part  of  the  Validation  test. 

Replace  subscript  numbers  with  subscript  variable  names.  Lor  example,  C9999  is 
replaced  with  Cj. 

Make  reference  to  the  three  different  keying  options  specified  in  LIPS  PUB  46-3. 

Input  Type  2  -  remove  “. .  .represented  as  a  16  character  ASCII. . replace  with 
“. .  .represented  as  an  ASCII. . .” 

Input  Type  5  -  same  as  above 

Input  Type  8  -  same  as  above 

Input  Type  13  -  same  as  above 

Input  Type  15  -  same  as  above 

Input  Type  18  -  same  as  above 

Input  Type  21  -  same  as  above 

Input  Type  22  -  for  TEXT1,  TEXT2,  and  TEXT3  remove  “. . .  1  to  64  binary. . .” 
replace  with  “. .  .64  binary. . .” 

Input  Type  24  -  same  as  above 

Output  Type  2  -  for  DATA  and  RESULT  remove  “. .  .is  a  16  character 
hexidecimal. . replace  with  “. .  .is  1  -  64  binary  bits  represented  as  an  ASCII 
hexidecimal. . .” 

Output  Type  3  -  same  as  above 
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Page 

40  Output  Type  6  -  same  as  above 

41  Output  Type  7  -  same  as  above 

41  Output  Type  8  -  same  as  above 

46  In  pseudocode,  Send  statement  -  the  subscript  on  C  should  be  lowercase  i. 

57  Replace  P0  =  C9999  with  P0  =  C, 

78  In  pseudocode,  the  subscript  should  be  lowercase  i 
92  Switch  2)  and  3)  to  make  the  text  coincide  with  the  pseudocode 

1 14  In  pseudocode,  Send  statement  -  II;,  12;,  and  13;  should  be  sent  instead  of  PI;,  P2;, 
and  P3; 

115  Clock  Cycle  T4,  2)  -  The  subscript  on  TEMP3  should  be  1. 

115  b.  -  Replace  PI;,  P2;,  P3;  with  II;,  12;,  13;. 

135  Replace  Ckgggg  with  Ckj_;  and  replace  Ck9999  with  Ckj 

136  Clock  Cycle  T4,  a)  -  replace  DEA2  with  DEA3 

b)  -  replace  DEA3  with  DEA2 
replace  KEY3;  with  KEY2; 

Swap  a)  and  b)  to  make  the  text  coincide  with  the  pseudocode. 

137  In  f),  g)  and  h)  - 

Replace  subscript  9999  with  j 
Replace  subscript  9998  with  j-1 
Replace  subscript  9997  with  j-2 
165  In  the  pseudocode,  add  “FOR  k  =  1  to  3” 

165  Replace  subscript  9999  with  j 

166  In  Clock  Cycle  Tl-  b),  Clock  Cycle  T2:  b),  and  Clock  Cycle  T3:  b): 

The  j  in  Ilj,  I2j,  and  I3j,  respectively,  should  be  a  subscript:  Ilj,  I2j,  I3j. 
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167  In  2b)  -  Add  comma  after  P3j. 

167  In  f.  -  Add  comment  “Note  j=9999.” 

167  In  f),  g)  and  h)  - 

Replace  subscript  9999  with  j 

Replace  subscript  9998  with  j-1 

Replace  subscript  9997  with  j-2 

182  In  pseudocode,  replace  the  subscript  9999  with  j 

184  In  2)  and  3)  -  Replace  the  subscript  9999  with  j 

184  In  3)  -  Add  subscripts  to  I  and  k-bit  C  so  they  read  Ij  and  C, 

185-186  In  pseudocode,  replace  the  subscript  9999  with  j . 

187  In  2)  and  3)  -  Replace  the  subscript  9999  with  j. 

187  In  2)  -  Add  subscripts  to  I  and  k-bit  C  so  they  read  I,  and  C, 

210  In  pseudocode,  the  code  pertaining  to  the  Triple  DES  algorithm  does  not  coincide 
with  the  Triple  DES  standard.  The  subscript  on  RESULT  should  be  j-3,  i.e., 

Ij  =  RM  (64  K)  (I(j-1))  II  K-bit  RESULTj., 

Should  be 

Ij  =  RM  (64  K)  (I(j-1))  II  K-bit  RESULTj.3 

210  Add  a  separate  Monte  Carlo  Test  for  the  Encryption  and  Decryption  processes  of 
the  CFB-P  Mode  of  operation.  (Section  5.5.2) 

211  In  pseudocode,  replace  19999  with  Ij . 

212  In  b2),  replace  subscript  j-2  with  j-3. 

213  In  3)  and  4)  -  Replace  the  subscript  9999  with  j.  Add  statement  “. .  .where  j  = 
9999.” 

226  At  the  end  of  the  external  loop,  where  new  values  are  generated  for  the  keys,  the 
text  and  the  input  block,  it  was  unclear  in  the  generation  of  the  new  text  which 
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value  of  text  was  being  referred  to  in  this  statement: 

TEXTo  =  TEXTo  ©  Ij 

TEXT0  is  referring  to  the  initial  text  of  the  INTERNAL  loop.  Therefore,  add  the 
following  code  to  make  this  clear: 

In  pseudocode,  add  statement  “INITTEXT  =  TEXTo”  in  the  external  loop  before 
the  internal  loop.  This  will  capture  the  initial  text  used  for  each  internal  loop. 

Also,  modify  the  statement  at  the  end  of  the  external  loop: 

TEXTo  =  TEXTo  ©  Ij 

To  read 

TEXTo  =  INITTEXT  ©  Ij 

227  In  the  pseudocode,  replace  the  subscript  9999  with  j. 

227  In  the  text,  add  after  b: 

“c.  Assign  the  value  of  TEXT0  to  INITTEXT.  This  will  contain  the  initial  text 
from  every  j  =  0  loop.” 

228  Reletter  text. 

228  In  g  1),  2),  and  3)  -  Replace  subscript  9999  with  j. 

Replace  subscript  9998  with  j-1. 

Replace  subscript  9997  with  j-2. 

228  In  g  2)  -  This  should  read: 

Assign  a  new  value  to  the  TEXT0.  The  TEXT0  should  be  assigned  the  value  of 
INITTEXT  exclusive-ORed  with  I,. 

228  In  g  NOTE  -  P  should  be  replaced  with  TEXT. 

252  In  the  pseudocode,  Replace  the  subscript  9999  with  j. 

253-254  Replace  subscript  9999  with  j. 
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Table  A. 5 
Table  A.7 

Table  A. 8 
Table  A. 8 

Table  A.9 

Table  A.  10 


Revision 

Replace  column  headings  PLAINTEXT1,  2,  and  3  with  INPUTBLOCK1,  2,  and  3. 

Replace  column  headings  PLAINTEXT  1,  2,  and  3  with  one  column  labeled 
CIPHERTEXTS. 

Replace  column  headings  CIPHERTEXT  1,  2,  and  3  with  PLAINTEXT  1,  2,  and  3. 
Start  ROUND  numbers  with  0. 

Replace  colum  headings  PLAINTEXT  1,  2,  and  3  with  one  column  labeled 
PLAINTEXTS. 

Replace  column  headings  PLAINTEXTS  2,  and  3  with  PLAINTEXT  1  ©  IV 1, 
PLAINTEXT2  ©  IV2,  and  PLAINTEXT3  ©  IV3,  respectively. 

Replace  column  headings  PLAINTEXT!,  2,  and  3  with  IV 1,  2,  and  3. 
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ABSTRACT 


The  National  Institute  of  Standards  and  Technology  (NIST)  Triple  Data  Encryption  Algorithm 
(TDEA)  Modes  of  Operation  Validation  System  (TMOVS)  specifies  the  procedures  involved  in 
validating  implementations  of  the  Triple  DES  algorithm  in  FIPS  PUB  46-3  Data  Encryption 
Standard  (DES)  (and  ANSI  X9.52  -  1998).  The  TMOVS  is  designed  to  perform  automated 
testing  on  Implementations  Under  Test  (IUTs).  This  publication  provides  brief  overviews  of  the 
Triple  DES  algorithm  and  introduces  the  basic  design  and  configuration  of  the  TMOVS.  Included 
in  this  overview  are  the  specifications  for  the  two  categories  of  tests  that  make  up  the  TMOVS, 
i.e.,  the  Known  Answer  tests  and  the  Monte  Carlo  tests.  The  requirements  and  administrative 
procedures  to  be  followed  by  those  seeking  formal  NIST  validation  of  an  implementation  of  the 
Triple  DES  algorithm  are  presented.  The  requirements  described  include  the  specific  protocols  for 
communication  between  the  IUT  and  the  TMOVS,  the  types  of  tests  which  the  IUT  must  pass  for 
formal  NIST  validation,  and  general  instructions  for  accessing  and  interfacing  with  the  TMOVS. 
An  appendix  with  tables  of  values  and  results  for  the  Triple  DES  Known  Answer  tests  is  also 
provided. 

Key  words:  automated  testing,  computer  security,  cryptographic  algorithms,  cryptography,  Triple 
Data  Encryption  Algorithm  (TDEA),  Triple  Data  Encryption  Standard  (TDES),  Federal 
Information  Processing  Standard  (FIPS),  NVLAP,  secret  key  cryptography,  validation. 

1.  Introduction 

1.1  Background 

The  publication  specifies  the  tests  required  to  validate  Implementations  Under  Test  (IUTs)  for 
conformance  to  the  Triple  DES  algorithm  (TDEA)  as  specified  in  ANSI  X9.52,  Triple  Data 
Encryption  Algorithm  Modes  of  Operation.  When  applied  to  IUTs  that  implement  the  TDEA,  the 
TDEA  Modes  of  Operation  Validation  System  (TMOVS)  provides  testing  to  determine  the 
correctness  of  the  algorithm  implementation.  This  involves  both  testing  the  specific  components 
of  the  algorithm,  as  well  as,  exercising  the  entire  algorithm  implementation.  In  addition  to 
determining  conformance,  the  TMOVS  is  structured  to  detect  implementation  flaws  including 
pointer  problems,  insufficient  allocation  of  space,  improper  error  handling,  and  incorrect  behavior 
of  the  TDEA  implementation. 

The  TMOVS  is  composed  of  two  types  of  validation  tests,  the  Known  Answer  tests  and  the 
Monte  Carlo  tests.  The  validation  tests  are  based  on  the  standard  DES  test  set  and  the  Monte 
Carlo  test  described  in  Special  Publication  800-17,  Modes  of  Operation  Validation  System 
(MOVS):  Requirements  and  Procedures.  By  applying  the  same  framework  specified  in  Special 
Publication  800-17  to  TDES,  the  TMOVS  specifies  how  to  validate  implementations  of  the 
TDEA  in  software,  firmware,  hardware,  or  any  combination  thereof. 

The  Known  Answer  tests  are  designed  to  verify  the  components  of  the  DES  algorithm  in  the  IUT 
(e.g.,  S  boxes,  permutation  tables,. . .).  The  tests  exercise  each  bit  of  every  component  of  the 
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algorithm  implementation.  This  is  accomplished  by  processing  all  possible  basis  vectors  through 
the  IUT.  To  perform  the  Known  Answer  tests,  the  TMOVS  supplies  known  values  to  the  IUT 
and  the  IUT  then  processes  the  input  through  the  implemented  algorithm.  The  results  produced 
by  the  IUT  are  compared  to  the  expected  values. 

The  Monte  Carlo  Test  is  designed  to  exercise  the  entire  implementation  of  the  TDEA,  as  opposed 
to  testing  only  the  individual  components.  The  purpose  of  the  Monte  Carlo  Test  is  to  detect  the 
presence  of  flaws  in  the  IUT  that  were  not  detected  with  the  controlled  input  of  the  Known 
Answer  test.  The  Monte  Carlo  Test  does  not  guarantee  ultimate  reliability  of  the  IUT  that 
implements  the  TDEA  (i.e.,  hardware  failure,  software  corruption,  etc.).  To  perform  the  Monte 
Carlo  Test,  the  TMOVS  supplies  the  IUT  with  pseudorandom  values  for  the  initial  plaintext, 
key(s),  and,  if  applicable,  initialization  vector(s).  Using  these  values,  the  IUT  is  exercised  through 
four  million  DES  encryption/decryption  iterations.  The  results  are  then  compared  to  the  expected 
values. 

The  successful  completion  of  the  tests  contained  within  the  TMOVS  is  required  to  claim 
conformance  of  Triple  DES  implementations  as  defined  in  FIPS  PUB  46-3,  Data  Encryption 
Standard  (DES).  Testing  for  single  DES  implementations  is  defined  in  Special  Publication  800- 
17,  Modes  of  Operation  Validation  System  (MOVS):  Requirements  and  Procedures.  Testing  for 
the  cryptographic  module  in  which  Triple  DES  is  implemented  is  defined  in  FIPS  PUB  140-1, 
Security  Requirements  for  Cryptographic  Modules. 

1.2  Organization 

Section  2  gives  a  brief  overview  of  the  Triple  DES  algorithm  and  the  five  modes  of  operation 
allowed  by  this  algorithm  as  well  as  the  interleaved  and  pipelined  versions  of  several  of  these 
modes.  Section  3  provides  an  overview  of  the  tests  that  make  up  the  Triple  DES  Modes  of 
Operation  Validation  System  (TMOVS).  Section  4  describes  the  basic  protocol  used  by  the 
TMOVS.  Section  5  provides  a  detailed  explanation  of  each  test  required  by  the  TMOVS  to 
validate  an  IUT  of  the  TDEA.  Section  6  outlines  the  design  of  the  TMOVS.  Appendix  A 
provides  tables  of  values  for  the  Known  Answer  tests  for  TDEA.  These  tables  include: 

—  For  modes  of  operation  including  TECB,  TCBC,  TCFB,  and  TOFB: 

Table  A.l  -  Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test 
Table  A. 2  -  Resulting  Ciphertext  from  the  Variable  Key  Known  Answer  Test 
Table  A. 3  -  Values  to  be  Used  for  the  Permutation  Operation  Known  Answer  Test 
Table  A.4  -  Values  to  be  Used  for  the  Substitution  Tables  Known  Answer  Test 

—  For  the  TCBC-I  mode  of  operation: 

Table  A.5  -  Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test  for 
TCBC-I 
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Table  A. 6  -  Resulting  Ciphertext  from  the  Inverse  Permutation  Known  Answer  Test  for 
TCBC-I 


Table  A.7  -  Resulting  Ciphertext  from  the  Initial  Permutation  Known  Answer  Test  for 
TCBC-I 

Table  A. 8  -  Values  to  be  Used  for  the  Substitution  Tables  Known  Answer  Test  for  TCBC- 
I 

For  the  TCFB-P  and  TOFB-I  modes  of  operation: 

Table  A. 9  -  Resulting  Ciphertext  from  the  Variable  Text  Known  Answer  Test  for  TCFB- 
P  and  TOFB-I 

Table  A.  10  -  Values  to  be  Used  for  the  Substitution  Tables  Known  Answer  Test  for 
TCFB-P  and  TOFB-I 

For  the  TCBC-I,  TCFB-P,  and  TOFB-I  modes  of  operation: 

Table  A.ll-  Resulting  Ciphertext  from  the  Variable  Key  Known  Answer  Test  for  TCBC- 
I,  TCFB-P  and  TOFB-I 

Table  A.  12  -  Values  to  be  Used  for  the  Permutation  Operation  Known  Answer  Test  for 
TCBC-I,  TCFB-P  and  TOFB-I 


1.3  Definition(s) 

1.3.1  Basis  vector 

A  vector  consisting  of  a  “1”  in  the  zth  position  and  “0”  in  all  of  the  other  positions. 

1.3.2  Block 

A  binary  vector.  In  this  document,  the  input  and  output  of  encryption  and  decryption  operation 
are  64-bit  block.  The  bits  are  numbered  from  left  to  right.  The  plaintext  and  ciphertext  are 
segmented  to  k-bit  blocks,  k  =  1,  8,  64. 

1.3.3  Ciphertext 

Encrypted  (enciphered)  data. 

1.3.4  Cryptographic  boundary 

An  explicitly  defined  contiguous  perimeter  that  establishes  the  physical  bounds  around  the  set  of 
hardware,  software  and  firmware  which  is  used  to  implement  the  TDEA  and  the  associated 
cryptographic  processes. 

1.3.5  Cryptographic  key 

A  parameter  that  determines  the  transformation  from  plaintext  to  ciphertext  and  vice  versa.  (A 
DEA  key  is  a  64-bit  parameter  consisting  of  56  independent  bits  and  8  parity  bits).  Multiple  (1,  2 
or  3)  keys  may  be  used  in  the  Triple  Data  Encryption  Algorithm. 
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1.3.6  Data  Encryption  Algorithm 

The  algorithm  specified  in  FIPS  PUB  46-3,  Data  Encryption  Algorithm  (DEA). 

1.3.7  Decryption 

The  process  of  transforming  ciphertext  into  plaintext. 

1.3.8  Encryption 

The  process  of  transforming  plaintext  into  ciphertext. 

1.3.9  Exclusive-OR 

The  bit-by-bit  modulo  2  addition  of  binary  vectors  of  equal  length. 

1.3.10  Initialization  Vector 

A  binary  vector  used  as  the  input  to  initialize  the  algorithm  for  the  encryption  of  a  plaintext  block 
sequence  to  increase  security  by  introducing  additional  cryptographic  variance  and  to  synchronize 
cryptographic  equipment.  The  initialization  vector  need  not  be  secret.  Some  of  the  Triple  Data 
Encryption  Algorithm  Modes  of  Operation  require  3  initialization  vectors. 

1.3.11  Key 

See  cryptographic  key. 

1.3.12  Plaintext 

Intelligible  data  that  has  meaning  and  can  be  read  or  acted  upon  without  the  application  of 
decryption.  Also  known  as  cleartext. 

1.3.13  Self-dual  Key 

A  key  with  the  property  that  when  you  encrypt  twice  with  this  key,  the  result  is  the  initial  input. 

1.3.14  Triple  Data  Encryption  Algorithm 

The  algorithm  specified  in  FIPS  PUB  46-3  -1999,  Data  Encryption  Algorithm. 


1.4 

Symbols  (and  Acronyms) 

1.4.1 

C 

Ciphertext 

1.4.2 

C/7 

Block  of  data  representing  the  Ciphertext  n 

1.4.3 

c\...,c64 

Bits  of  the  Ciphertext  Block 

1.4.4 

Dkeyx(Y) 

Decrypt  Y  with  the  key  KEYX 

1.4.5 

DEA 

The  Data  Encryption  Algorithm  specified  in  FIPS  46-3 

1.4.6 

DES 

Data  Encryption  Standard  specified  in  FIPS  46-3 

1.4.7 

Ekeyx(Y) 

Encrypt  Y  with  the  key  KEYX 

1.4.8 

FIPS  PUB 

Federal  Information  Processing  Standard  Publication 
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1.4.9  I 


Input  Block 

1.4.10  In  Block  of  data  representing  the  Input  Block  n 

1.4.11  I1,...,!64  Bits  of  the  Input  Block 

1.4.12  IUT  Implementation  Under  Test 

1.4.13  IV  Initialization  Vector 

1.4.14  IV n  Block  of  data  representing  IV  n 

1.4.15  KEY/?  Block  of  data  representing  KEY  n 

1.4.16  NIST  National  Institute  of  Standards  and  Technology 

1.4.17  O  Output  Block 

1.4.18  0\...,064  Bits  of  the  Output  Block 

1.4.19  On  Block  of  data  representing  Output  Block  n 

1.4.20  P  Plaintext 

1.4.21  P',...,P64  Bits  of  the  Plaintext  Block 

1.4.22  P n  Block  of  data  representing  Plaintext  n 

1.4.23  RESULT/?  Block  of  data  representing  Plaintext  /?,  if  encryption  state,  or  Ciphertext  n, 

if  decryption  state 

1.4.24  TCBC  TDE A  Cipher  Block  Chaining  Mode  of  Operation 

1.4.25  TCBC-I  TDEA  Cipher  Block  Chaining  Mode  of  Operation  -  Interleaved 

1.4.26  TCFB  TDEA  Cipher  Feedback  Mode  of  Operation 

1.4.27  TCFB-P  TEA  Cipher  Feedback  Mode  of  Operation  -  Pipelined 

1.4.28  TDEA  Triple  Data  Encryption  Algorithm  specified  in  FIPS  46-3 

1.4.29  TDES  Triple  Data  Encryption  Standard  specified  in  FIPS  46-3 

1.4.30  TECB  TDEA  Electronic  Codebook  Mode  of  Operation 

1.4.31  TEXT/?  Block  of  data  representing  Plaintext  /?,  if  encryption  state,  or  Ciphertext  /?, 

if  decryption  state 

1.4.32  TMOVS  TDEA  Modes  of  Operation  Validation  System 
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1.4.33  TOFB  TDEA  Output  Feedback  Mode  of  Operation 

1.4.34  TOFB-I  TDEA  Output  Feedback  Mode  of  Operation  -  Interleaved 

1.4.35  VARIABLE  „  Block  of  data  representing  the  value  of  VARIABLE  for  the  nh  iteration 

1.4.36  X  ©  Y  Bit-wise  inclusive-or  of  two  bit-strings  X  and  Y  of  the  same  bit  length. 

2.  Triple  Data  Encryption  Algorithm  (TDEA) 

FIPS  PUB  46-3  -  1999,  Data  Encryption  Standard  (DES),  (and  ANSI  X9.52  -  1998)  specifies 
the  Triple  Data  Encryption  Algorithm  (TDEA)  modes  of  operation  for  the  enhanced 
cryptographic  protection  of  digital  data.  The  modes  of  operation  for  TDEA  provide  a  means  of 
extending  the  effective  key  space  of  the  Data  Encryption  Algorithm  (DEA).  Certain  modes  also 
provide  increased  protection  against  more  sophisticated  cryptanalytic  attacks.  FIPS  PUB  46-3  - 
1999  enhances  the  basic  level  of  cryptographic  protection  of  digital  data  provided  by  DEA,  thus 
extending  the  useful  lifetime  of  this  technology. 

The  TDEA  consists  of  three  components  -  the  DES  algorithm  (DEA),  multiple  keys,  and 
initialization  vector(s).  The  DEA  is  called  three  times  in  the  TDEA.  The  TDEA  utilizes  one  to 
three  keys  and,  depending  on  the  mode  of  operation  being  implemented,  zero,  one  or  three 
initialization  vectors  (TVs). 

The  basic  processing  involved  in  the  TDEA  is  as  follows:  An  input  block  is  read  into  the  first 
DEA  (DEAl)  and  encrypted  using  the  first  key  (KEYl).  The  output  produced  from  this  stage  is 
read  directly  into  the  second  DEA  (DEA2)  and  decrypted  using  the  second  key  (KEY2).  The 
output  produced  by  the  second  stage  is  directly  read  into  the  third  DEA  (DEA3)  and  encrypted 
using  the  third  key  (KEY3).  The  resultant  output  block  is  used,  according  to  the  mode 
implemented,  in  the  calculation  of  the  ciphertext.  Note  that  the  output  for  the  intermediate  DEA 
stages  is  never  revealed  outside  the  cryptographic  boundary. 

Three  different  keying  options  are  allowed  by  the  TDEA.  The  first  option  specifies  that  all  the 
keys  are  independent,  i.e.,  KEYl,  KEY2,  and  KEY3  are  independent.  This  is  referred  to  as 
Keying  Option  1  in  FIPS  PUB  46-3  -  1999  (and  ANSI  X9.52  -  1998).  It  will  be  referred  to  as  3- 
key  TDES  in  this  document.  The  second  option  specifies  that  KEYl  and  KEY2  are  independent 
and  KEY3  is  equal  to  KEYl,  i.e.,  KEYl  and  KEY2  are  independent,  KEY3  =  KEYl.  This  is 
referred  to  as  Keying  Option  2  in  FIPS  PUB  46-3  -  1999  (and  ANSI  X9.52  -  1998)  and  will  be 
referred  to  as  2-key  TDES  in  this  document.  And  the  third  option  specifies  that  KEYl,  KEY2 
and  KEY3  are  equal,  i.e.,  KEY1=KEY2=KEY3.  This  is  referred  to  as  Keying  Option  3  in  FIPS 
PUB  46-3  -  1999  (and  ANSI  X9.52  -  1998  and  will  be  referred  to  as  1-key  TDES  in  this 
document.  1-key  TDES  is  equivalent  to  single  DES. 

The  initialization  vector  (IV)  must  meet  the  following  attributes  as  specified  by  the  TDEA: 

•  For  TECB,  no  IV  is  used. 
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•  For  all  modes  using  an  IV,  the  IV  may  be  public  information. 

•  For  TOFB  and  TOFB-I,  the  IV  should  never  be  a  constant. 

•  If  the  mode  of  operation  implemented  requires  one  IV,  it  may  be  generated  in  one  of  two 
ways: 

Randomly  or  Pseudo-randomly 
As  a  counter 

•  If  the  mode  of  operation  implemented  requires  three  IVs,  they  should  be  generated  as  follows: 

IV1  should  be  generated  in  the  same  manner  as  one  IV  (described  above). 

-  IV2  =  IV1  +  Rj  mod  264,  where  R,  =  5555555555555555. 

-  IV3=  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA. 

A  thorough  explanation  of  the  processing  involved  in  the  four  modes  of  operation  supplied  by 
TDEA,  as  well  as  the  new  message-interleaved  and  pipelined  versions  of  these  modes  can  be 
found  in  FIPS  PUB  46-3  -  1999  (and  ANSI  X9. 52-1998).  A  brief  explanation  of  each  mode  is 
found  below. 

2.1  TDEA  Electronic  Codebook  (TECB)  Mode 


TECB  ENCRYPTION 

PLAINTEXT 

P 

i  I 

DEA  ENCRYPTkey1 
DEA  DECRYPTKEY2 
DEA  ENCRYPTKEY3 

i  o 

CIPHERTEXT 

C 


TECB  DECRYPTION 

CIPHERTEXT 
C 
i  I 

DEA  DECRYPTKEY3 
DEA  ENCRYPTKEY2 
DEA  DECRYPTkey1 

i  o 

PLAINTEXT 

P 
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Figure  1 


TDEA  Electronic  Codebook  (TECB)  Mode 


The  TDEA  Electronic  Codebook  (TECB)  mode  is  shown  in  Figure  1.  In  TECB  encryption,  a  64- 
bit  plaintext  data  block  (P)  is  used  directly  as  the  input  block  (I).  The  input  block  is  processed 
through  the  first  DEA  (DEAl)  in  the  encrypt  state  using  KEY1.  The  output  of  this  process  is  fed 
directly  to  the  input  of  the  second  DEA  (DEA2)  where  DES  is  performed  in  the  decrypt  state 
using  KEY2.  The  output  of  this  process  is  fed  directly  to  the  input  of  the  third  DEA  (DEA3) 
where  DES  is  performed  in  the  encrypt  state  using  KEY3.  The  resultant  64-bit  output  block  (O) 
is  used  directly  as  ciphertext  (C). 

In  TECB  decryption,  a  64-bit  ciphertext  block  (C)  is  used  directly  as  the  input  block  (I).  The 
keying  sequence  is  reversed  from  the  encrypt  process.  The  input  block  is  processed  through 
DEA3  in  the  decrypt  state  using  KEY3.  The  output  of  this  process  is  fed  directly  to  the  input  of 
DEA2,  where  DES  is  performed  in  the  encrypt  state  using  KEY2,  and  the  result  is  directly  fed  to 
the  input  of  DEAl,  where  DES  is  performed  in  the  decrypt  state  using  KEY1.  The  resultant  64- 
bit  output  block  (O)  produces  the  plaintext  (P). 

2.2  TDEA  Cipher  Block  Chaining  (TCBC)  Mode 


Figure  2  TDEA  Cipher  Block  Chaining  (TCBC)  Mode 

As  shown  in  the  upper  half  of  Figure  2,  the  TDEA  Cipher  Block  Chaining  (TCBC)  mode  begins 
processing  by  dividing  a  plaintext  message  into  64-bit  data  blocks.  In  TCBC  encryption,  the  first 
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input  block  (Ii)  is  formed  by  exclusive-ORing  the  first  plaintext  data  block  (Pi)  with  a  64-bit 
initialization  vector  IV,  i.e.,  (Ii  =  IV  ©  Pi).  The  input  block  is  processed  through  DEA1  in  the 
encrypt  state  using  KEY1.  The  output  of  this  process  is  fed  directly  to  the  input  of  DEA2,  which 
performs  DES  in  the  decrypt  state  using  KEY2.  The  output  of  this  process  is  fed  directly  to  the 
input  of  DEA3,  which  performs  DES  in  the  encrypt  state  using  KEY3.  The  resultant  64-bit  output 
block  (Oi)  is  used  directly  as  ciphertext  (Ci),  i.e.,  (Ci  =  Oi).  This  first  ciphertext  block  is  then 
exclusive-ORed  with  the  second  plaintext  data  block  to  produce  the  second  input  block,  i.e.,  (E) 

=  (Ci  ©  P2).  Note  that  I2  and  P2  now  refer  to  the  second  block.  The  second  input  block  is 
processed  through  the  TDEA  to  produce  the  second  ciphertext  block.  This  encryption  process 
continues  to  "chain"  successive  cipher  and  plaintext  blocks  together  until  the  last  plaintext  block 
in  the  message  is  encrypted.  If  the  message  does  not  consist  of  an  integral  number  of  data  blocks, 
then  the  final  partial  data  block  should  be  encrypted  in  a  manner  specified  for  the  application. 

In  TCBC  decryption  (see  the  lower  half  of  Figure  2),  the  first  ciphertext  block  (Ci)  is  used 
directly  as  the  input  block  (T).  The  keying  sequence  is  reversed  from  the  encrypt  process.  The 
input  block  is  processed  through  DEA3  in  the  decrypt  state  using  KEY3.  The  output  of  this 
process  is  fed  directly  to  the  input  of  DEA2,  where  DES  is  processed  in  the  encrypt  state  using 
KEY2.  This  resulting  value  is  directly  fed  to  the  input  of  DEA1,  where  DES  is  processed  in  the 
decrypt  state  using  KEY1.  The  resulting  output  block  is  exclusive-ORed  with  the  IV  (which  must 
be  the  same  as  that  used  during  encryption)  to  produce  the  first  plaintext  block,  i.e.,  (Pi  =  Oi  © 
IV).  The  second  ciphertext  block  is  then  used  as  the  next  input  block  and  is  processed  through  the 
TDEA  as  shown  above.  The  resulting  output  block  is  exclusive-ORed  with  the  first  ciphertext 
block  to  produce  the  second  plaintext  data  block,  i.e.,  (P2  =  02  ©  Ci).  (NOTE  -  P2  and  02  refer 
to  the  second  block.)  The  TCBC  decryption  process  continues  in  this  manner  until  the  last 
complete  ciphertext  block  has  been  decrypted.  Ciphertext  representing  a  partial  data  block  must 
be  decrypted  in  a  manner  as  specified  for  the  application. 

2.3  TDEA  Cipher  Block  Chaining  -  Interleaved  (TCBC-I)  Mode 

Both  the  encryption  and  decryption  processes  of  the  TDEA  Cipher  Block  Chaining  -  Interleaved 
(TCBC-I)  mode  of  operation  require  3  IVs,  an  n  block  message  interleaved  into  three  sub-texts, 
and  3  keys.  The  IVs,  denoted  IV1,  IV2,  and  IV3,  are  generated  based  on  the  specifications 
mentioned  in  Section  2.  For  both  the  encryption  and  decryption  processes  of  the  TCBC-I  mode  of 
operation,  these  values  are  assigned  to  the  initial  values  of  Cl,  C2,  and  C3. 

Prior  to  commencing  both  the  TCBC-I  encryption  and  decryption  processes,  the  TEXT  (which 
refers  to  plaintext,  P,  if  encrypting  and  ciphertext,  C,  if  decrypting)  is  interleaved  into  three  sub¬ 
texts.  This  is  accomplished  by  taking  an  n-block  TEXT  and  subdividing  it  into  groups  consisting 
of  three  blocks  each  accordingly: 


TEXT=(TEXT],  TEXT2„ 
TEXT3,2,  TEXTu,  TEXT 


..,  TEXT,,)  =(TEXTU,  TEXT2J,  TEXT3,i,  TEXTU,  TEXT2,2, 
2i3,  TEXT3  3,...,TEXTl  i,  TEXT2ji,  TEXT3  i),  where  i  =  n/3. 


Then  the  TEXT  is  decimated  into  three  sub-texts: 


TEXT1  =  TEXTU,  TEXTU,  TEXTi,3,..„TEXT1,„i; 
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where 


TEXT2  =  TEXT2  I,  TEXT2j2,  TEXT2,3,...,TEXT2,„2; 

TEXT3  =  TEXT31,  TEXT3,2,  TEXT33,...,TEXT3„3; 

-  if  n  mod  3  =  0,  then  nl  =  n2  =  n3  =  n/3\  The  last  block  in  TEXT  is  TEXT3  ,,3. 

-  if  n  mod  3  =  1,  then  nl  =  (n+2)/3,  n2  =  n3  =  (n-1  )/3:  The  last  block  in  TEXT  is 
TEXT!,,,!. 

-  if  n  mod  3  =  2,  then  nl  =  n2  =  (n+l)/3,  n3  =  (n-2)/3\  The  last  block  in  TEXT  is 
TEXT2,„2. 

The  TCBC-I  mode  of  operation  is  intended  for  systems  equipped  with  multiple  DEA  processors. 
Each  of  the  DEA  processors  used  in  both  the  encryption  and  decryption  processes  utilize  the 
same  processing  as  that  used  in  the  TCBC  mode  of  operation  for  all  three  sub-texts.  The  DEA 
processors  operate  simultaneously. 

During  the  encryption  process  of  the  TCBC-I  mode  of  operation,  for  j=l  to  3  and  i=l  to  n,  the  PM 
is  exclusive-ORed  with  the  Cy-i.  This  value  is  processed  through  DEA1  in  the  encrypt  state  using 
KEY1.  The  output  of  this  process  is  fed  directly  to  the  input  of  DEA2,  which  performs  DES  in 
the  decrypt  state  using  KEY2.  The  output  of  this  process  is  fed  directly  to  the  input  of  DEA3, 
which  performs  DES  in  the  encrypt  state  using  KEY3.  The  resultant  64-bit  output  block  is  used 
directly  as  the  Cy. 

With  three  DEA  functional  blocks,  DEA1,  DEA2,  and  DEA3,  which  are  simultaneously  clocked, 
the  encryption  of  three  sub-plaintexts  can  be  interleaved. 

In  pseudocode  terms, 

For  j  =  1  to  3  { 

Cj,o  =  IVj 
For  i  =  1  to  «j  { 

Cj,i  =  EkEY3  (DkEY2  (EkEYI  (Pj,i  ©Cj,i.l))) 

Output  Cj,j 

} 

} 

During  the  decryption  process  of  the  TCBC-I  mode  of  operation,  for  j=l  to  3  and  i=l  to  n.  the 
Cy  is  processed  through  DEA3  in  the  decrypt  state  using  KEY3.  The  output  of  this  process  is  fed 
directly  to  the  input  of  DEA2,  which  performs  DES  in  the  encrypt  state  using  KEY2.  The  output 
of  this  process  is  fed  directly  to  the  input  of  DEA1,  which  performs  DES  in  the  decrypt  state 
using  KEY1.  The  resultant  64-bit  output  block  is  exclusive-ORed  with  the  Cy-i.  This  value  is 
used  directly  as  the  Py. 

Because  there  are  three  DEA  functional  blocks,  DEAi,  DEA2,  and  DEA3,  which  are 
simultaneously  clocked,  the  decryption  of  three  sub-ciphertexts  can  be  interleaved. 
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In  terms  of  pseudocode, 


For  j  =  1  to  3  { 

Cj,o  =  IVj 

For  i  =  1  to  «j  { 

Pj,i  =  DkEYI  (ErEY2  (DrEY3  (Cj,i)))  ©  Cj4.l 

Output  Pj,i 

} 

} 

2.4  TDEA  Cipher  Feedback  (TCFB)  Mode 


ENCRYPTION 
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Figure  3  TDEA  Cipher  Feedback  (TCFB)  Mode 


The  TDEA  Cipher  Feedback  (TCFB)  mode  is  shown  in  Figure  3.  A  message  to  be  encrypted  is 
divided  into  K-bit  data  units,  where  K  may  equal  1  through  64  inclusively  (K  =  1,2,. ..,64).  In  both 
the  TCFB  encrypt  and  decrypt  operations,  an  initialization  vector  (IV)  of  length  64  is  used.  The 
input  block  is  assigned  the  value  of  the  IV,  i.e.,  (I  =  IV).  The  input  block  is  processed  through 
DEA1  in  the  encrypt  state  using  KEY1.  The  output  of  this  process  is  fed  directly  to  the  input  of 
DEA2,  where  DES  is  performed  in  the  decrypt  state  using  KEY2.  The  output  of  this  process  is 
fed  directly  to  the  input  of  DEA3,  where  DES  is  performed  in  the  encrypt  state  using  KEY3. 
During  encryption,  ciphertext  is  produced  by  exclusive- ORing  a  K-bit  plaintext  data  unit  with  the 
most  significant  K  bits  of  the  output  block,  i.e.XC^C2,...,^)  =  (P1  ©  O1,  P2  ©  O2,...,  PK  ©  0K), 
where  each  C1,  P1,  and  O1  represents  a  single  bit  of  the  ciphertext  block  C,  plaintext  block  P,  and 
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output  block  O,  respectively.  Similarly,  during  decryption,  plaintext  is  produced  by  exclusive- 
ORing  a  K-bit  unit  of  ciphertext  with  the  most  significant  K  bits  of  the  output  block,  i.e., 
(P*,P2,...,PK)  =  (C1  ©  O1,  C2  ©  O2,...,  CK  ©  0K).  In  both  cases,  the  unused  bits  of  the  output 
block  are  discarded.  For  both  the  encryption  and  decryption  processes,  the  next  input  block  is 
created  by  discarding  the  most  significant  K  bits  of  the  previous  input  block,  shifting  the 
remaining  bits  K  positions  to  the  left  and  then  inserting  the  K  bits  of  ciphertext  just  produced  in 
the  encryption  operation  or  just  used  in  the  decryption  operation  into  the  least  significant  bit 
positions,  i.e.,  (l\l2,...,I64)  =  (I[K+1],  I[K+2],...,  I64,C\C2,...,CK).  NOTE  -  I,  P,  and  C  now  refer  to 
the  second  block.  The  second  block  is  processed  through  the  TDEA  to  produce  the  second 
ciphertext  block  (or  plaintext  block,  if  decrypting).  The  input  block  is  then  processed  through 
DEA1  in  the  encrypt  state.  This  process  continues  until  the  entire  plaintext  message  has  been 
encrypted  or  until  the  entire  ciphertext  message  has  been  decrypted.  For  each  operation  of  the 
TDEA,  one  K-bit  unit  of  plaintext  produces  one  K-bit  unit  of  ciphertext,  and  one  K-bit  unit  of 
ciphertext  produces  one  K-bit  unit  of  plaintext. 

2.5  TDEA  Cipher  Feedback  Mode  of  Operation  -  Pipelined  (TCFB-P) 

Both  the  encryption  and  decryption  processes  of  the  TDEA  Cipher  Feedback  -  Pipelined  (TCFB- 
P)  mode  of  operation  require  3  IVs,  a  K-bit  TEXT  and  3  keys.  The  IVs,  denoted  IV 1,  IV2,  and 
IV3  are  generated  based  on  the  specifications  mentioned  in  the  introduction  of  Section  2.  For 
both  the  encryption  and  decryption  processes  of  the  TCFB-P  mode  of  operation,  the  IV  values 
are  assigned  to  the  input  block  of  DEA1  in  succession. 

The  TCFB-P  mode  of  operation  is  intended  for  systems  equipped  with  multiple  DEA  processors. 
Each  of  the  DEA  processors  used  in  both  the  encryption  and  decryption  processes  utilize  the 
same  processing  as  that  used  in  the  TCFB  mode  of  operation.  With  three  DEA  functional  blocks, 
which  are  simultaneously  clocked,  and  with  three  IVs,  the  TCFB  encryption  and  decryption 
processes  can  be  pipelined. 

Prior  to  commencing  both  the  TCFB-P  encryption  and  decryption  processes,  a  3-step  initialization 
process  must  be  conducted  as  follows: 

Step  1:  IV 1  is  input  to  DEA1  and  encrypted  using  KEY1. 

Step  2:  The  output  of  DEA1  is  input  to  DEA2  and  decrypted  using  KEY2. 

Simultaneously,  IV2  is  input  to  DEA1  and  encrypted  using  KEY1. 

Step  3:  The  output  of  DEA2  is  input  to  DEA3  and  encrypted  using  KEY3.  This  produces 
the  first  output  block.  Simultaneous  with  encryption  by  DEA3,  the  output  of 
DEA1  (from  step  2)  is  input  to  DEA2  and  decrypted  using  KEY2,  and  IV3  is  input 
to  DEA1  and  encrypted  using  KEY1. 

During  encryption,  a  K-bit  ciphertext  block  is  produced  by  exclusive-ORing  the 
most  significant  K-bits  of  the  output  block  from  DEA3  with  the  K-bit  plaintext 
block. 
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Successive  input  blocks  for  DEA1  are  formed  by  discarding  the  most  significant  K  bits  of  the 
previous  DEA1  input  block,  shifting  the  remaining  bits  K  positions  to  the  left  and  then  inserting 
the  K  bits  of  the  newest  K-bit  ciphertext  block  into  the  least  significant  bit  positions.  DEA1, 
DEA2  and  DEA3  are  run  simultaneously  to  produce  successive  output  blocks  that  are  exclusive- 
ORed  to  successive  K-bit  plaintext  blocks  to  produce  successive  K-bit  ciphertext  blocks. 

Decryption  is  performed  in  the  same  manner  as  encryption,  except  that  the  role  of  the  plaintext 
and  the  ciphertext  are  reversed. 

2.6  TDEA  Output  Feedback  (TOFB)  Mode 


ENCRYPTION  DECRYPTION 


PLAINTEXT 

_  INPUT  BLOCK  INITIALLY 

CONTAINS  AN  IV  RIGHT 
JUSTIFIED. 


Figure  4  TDEA  Output  Feedback  (TOFB)  Mode 

The  TDEA  Output  Feedback  (TOFB)  mode  is  shown  in  Figure  4.  A  message  to  be  encrypted  is 
divided  into  64-bit  data  units.  In  both  the  TOFB  encrypt  and  decrypt  operations,  a  64-bit 
initialization  vector  (IV)  is  used.  The  IV  is  used  as  input  in  the  first  round,  i.e.,  (I  =  IV).  This 
input  block  is  processed  through  DEA1  where  DES  is  processed  in  the  encrypt  state  using  KEY1 
The  output  of  this  process  is  fed  directly  to  the  input  of  DEA2  where  DES  is  processed  in  the 
decrypt  state  using  KEY2.  The  output  of  this  process  is  fed  directly  to  the  input  of  DEA3  where 
DES  is  processed  in  the  encrypt  state  using  KEY3.  During  encryption,  ciphertext  is  produced  by 
exclusive-ORing  a  plaintext  data  unit  with  an  output  block,  i.e.,  (C  =  P  ©  O).  Similarly,  during 
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decryption,  plaintext  is  produced  by  exclusive-ORing  a  ciphertext  with  an  output  block,  i.e.,  (P  = 
C  ©  O).  In  both  cases  the  next  input  block  is  assigned  the  value  of  the  output  block,  i.e.,  (I  =  O). 
This  input  block  is  then  processed  through  the  TDEA  as  described  above.  This  process  continues 
until  the  entire  plaintext  message  has  been  encrypted  or  until  the  entire  ciphertext  message  has 
been  decrypted. 

2.7  TDEA  Output  Feedback  Mode  of  Operation  -  Interleaved  (TOFB-I) 

Both  the  encryption  and  decryption  processes  of  the  TDEA  Output  Feedback  -  Interleaved 
(TOFB-I)  mode  of  operation  require  3  IVs,  a  TEXT  and  3  keys.  The  IVs,  denoted  IV 1,  IV2,  and 
IV3,  are  generated  based  on  the  specifications  mentioned  in  the  introduction  of  Section  2.  For 
both  the  encryption  and  decryption  processes  of  the  TOFB-I  mode  of  operation,  the  IV  values  are 
assigned  to  the  input  block  of  DEA1  in  succession. 

The  TOFB-I  mode  of  operation  is  intended  for  systems  equipped  with  multiple  DEA  processors. 
Each  of  the  DEA  processors  used  in  both  the  encryption  and  decryption  processes  utilize  the 
same  processing  as  that  used  in  the  TOFB  mode  of  operation.  With  three  DEA  functional  blocks, 
which  are  simultaneously  clocked,  and  with  three  IVs,  the  TOFB  encryption  and  decryption 
processes  can  be  interleaved. 

Prior  to  commencing  both  the  TOFB-I  encryption  and  decryption  processes,  a  3-step  initialization 
process  must  be  conducted  as  follows: 

Step  1:  IV 1  is  input  to  DEA1  and  encrypted  using  KEY1. 

Step  2:  The  output  of  DEA1  is  input  to  DEA2  and  decrypted  using  KEY2. 
Simultaneously,  IV2  is  input  to  DEA1  and  encrypted  using  KEY1. 

Step  3:  The  output  of  DEA2  is  input  to  DEA3  and  encrypted  using  KEY3.  This  produces 
the  first  output  block.  Simultaneous  with  encryption  by  DEA3,  the  output  of 
DEA1  (from  step  2)  is  input  to  DEA  and  decrypted  using  KEY2,  and  IV3  is  input 
to  DEA1  and  encrypted  using  KEY1. 

During  encryption,  a  ciphertext  block  is  produced  by  exclusive-ORing  the  output 
block  from  DEA3  with  the  plaintext  block. 

Successive  input  blocks  for  DEA1  are  formed  by  assigning  them  the  value  of  the  newest 
ciphertext  block.  DEA1,  DEA2  and  DEA3  are  run  simultaneously  to  produce  successive  output 
blocks  that  are  exclusive-ORed  to  successive  plaintext  blocks  to  produce  successive  ciphertext 
blocks. 

Decryption  is  performed  in  the  same  manner  as  encryption,  except  that  the  role  of  the  plaintext 
and  the  ciphertext  are  reversed. 
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3.  MODES  OF  OPERATION  VALIDATION  SYSTEM  FOR  THE 

TRIPLE  DES  (TDES)  ALGORITHM 

The  TMOVS  for  the  Triple  DES  algorithm  (TDEA)  consists  of  two  types  of  tests,  the  Known 
Answer  tests  and  the  Monte  Carlo  tests.  The  TMOVS  provides  conformance  testing  for  the 
components  of  the  algorithm,  as  well  as  testing  for  apparent  implementation  errors. 

The  IUTs  may  be  written  in  software,  firmware,  hardware,  or  any  combination  thereof. 

An  IUT  must  allow  the  TMOVS  to  have  control  over  the  required  input  parameters  for  validation 
to  be  feasible.  The  ability  to  initialize  or  load  known  values  to  the  variables  required  by  a  specific 
test  may  exist  at  the  device  level  or  the  chip  level  in  an  IUT.  If  an  IUT  does  not  allow  the 
TMOVS  to  have  control  over  the  input  parameter  values,  the  TMOVS  tests  cannot  be  performed. 

An  IUT  may  implement  encryption  only,  decryption  only,  or  both  encryption  and  decryption.  This 
will  determine  which  TMOVS  tests  will  be  performed  by  an  IUT. 

The  following  subsections  provide  an  overview  of  the  Known  Answer  tests  and  the  Monte  Carlo 
tests.  This  overview  discusses  the  functionality  of  each  test  and  the  components  of  the  TDEA 
tested  by  the  individual  tests. 

3.1  The  Known  Answer  Tests 

The  Known  Answer  tests  are  based  on  the  standard  DES  test  set  discussed  in  Special  Publication 
500-20.  They  are  designed  to  verify  the  components  of  the  DES  algorithm  in  the  IUT.  These 
components  include  the  initial  permutation  IP,  the  inverse  permutation  IP"1,  the  expansion  matrix 
E,  the  data  permutation  P,  the  key  permutations  PCI  and  PC2,  and  the  substitution  tables  Si, 
S2,...,S8.  The  tests  exercise  each  bit  of  every  component  of  the  algorithm  by  processing  all 
possible  basis  vectors  through  the  IUT. 

A  generic  overview  of  the  sets  of  Known  Answer  tests  required  for  the  validation  of  IUTs 
implementing  the  encryption  and/or  decryption  processes  of  all  modes  of  operation  for  the  TDEA 
is  discussed  below. 

3.1.1  The  Encryption  Process 

An  IUT  which  allows  encryption  requires  the  successful  completion  of  five  Known  Answer  tests: 
the  Variable  Plaintext  Known  Answer  Test,  the  Inverse  Permutation  Known  Answer  Test,  the 
Variable  Key  Known  Answer  Test  for  the  Encryption  Process,  the  Permutation  Operation  Known 
Answer  Test  for  the  Encryption  Process,  and  the  Substitution  Table  Known  Answer  Test  for  the 
Encryption  Process. 

These  Known  Answer  tests  are  also  used  in  the  testing  of  IUTs  implementing  the  decryption 
process  of  the  TCFB,  TCFB-P,  TOFB  and  TOFB-I  modes  of  operation.  This  is  due  to  the  fact 
that  these  modes  call  the  three  DEA  stages  in  the  same  order  for  both  the  encryption  and 
decryption  processes,  i.e.,  encrypt  KEY1,  decrypt  KEY2  and  encrypt  KEY3. 
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3.1. 1.1 


The  Variable  Plaintext  Known  Answer  Test 


To  perform  the  Variable  Plaintext  Known  Answer  Test,  the  TMOVS  supplies  the  IUT 
with  initial  values  for  the  three  keys,  the  plaintext(s)  and,  if  applicable,  the  initialization 
vector(s).  For  IUTs  supporting  the  interleaved  and  pipelined  configurations  of  TDES, 
initial  values  for  three  initialization  vectors  are  supplied  by  the  TMOVS.  For  IUTs 
supporting  the  TCBC-I  mode  of  operation,  an  initial  value  is  supplied  to  three  plaintext 
variables.  These  three  plaintext  variables  are  initialized  to  the  same  value.  The  other 
modes  of  operation  only  require  one  plaintext  variable.  The  TMOVS  initializes  all  keys  to 
zero  (with  odd  parity  set).  Each  block  of  data  input  into  the  TDEA  is  represented  as  a  64- 
bit  basis  vector. 

For  the  four  basic  modes  of  operation  (TECB,  TCBC,  TCFB,  and  TOFB),  the  input  block 
is  processed  through  the  DEA  three  times  —  first  in  the  encrypt  state  with  KEY1,  next  in 
the  decrypt  state  with  KEY2,  and  lastly,  in  the  encrypt  state  with  KEY3.  The  resulting 
output  block  is  used  in  the  calculation  of  the  ciphertext. 

For  modes  of  operation  supporting  interleaving  and  pipelining  (TCBC-I,  TCFB-P,  TOFB- 
I),  it  is  assumed  that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed 
by  three  DES  processors.  Therefore,  three  input  blocks  are  processed  simultaneously 
through  the  three  DES  processors  resulting  in  three  output  blocks  which  are  then  used  in 
the  calculation  of  the  three  ciphertext  values.  The  formation  of  the  input  block  is 
dependent  upon  the  mode  of  operation  supported.  Note  that  the  design  of  the  TMOVS 
assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values  resulting 
from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  64  times,  using  the  64  input  basis  vectors,  allowing  for  every  possible 
basis  vector  to  be  tested.  At  the  completion  of  the  64th  cycle,  all  results  are  verified  for 
correctness. 

If  correct  results  are  obtained  from  an  IUT,  the  Variable  Plaintext  Known  Answer  Test 
has  verified  the  initial  permutation  IP  and  the  expansion  matrix  E  via  the  encrypt  operation 
by  presenting  a  full  set  of  basis  vectors  to  IP  and  to  E.  The  test  also  verifies  the  inverse 
permutation  IP"1  via  the  decrypt  operation.  It  does  this  by  presenting  the  recovered  basis 
vectors  to  IP"1. 

3.1. 1.2  The  Inverse  Permutation  Known  Answer  Test 

To  perform  the  Inverse  Permutation  Known  Answer  Test,  the  TMOVS  supplies  the  IUT 
with  initial  values  for  the  three  keys,  the  plaintext(s)  and,  if  applicable,  the  initialization 
vector(s).  For  IUTs  supporting  the  interleaved  and  pipelined  configurations  of  TDES, 
three  plaintext  values  and  three  initialization  vector  values  are  supplied  by  the  TMOVS. 
The  values  supplied  are  dependent  upon  the  modes  of  operation  being  implemented. 

This  test  performs  the  same  processing  as  the  Variable  Plaintext  Known  Answer  Test. 

The  difference  is  that  the  plaintext  value(s)  for  this  test  are  set  to  the  ciphertext  result(s) 
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obtained  from  the  Variable  Plaintext  Known  Answer  Test  for  the  corresponding  modes  of 
operation. 

The  key  is  initialized  to  zero  (with  odd  parity  set).  This  key  is  a  self-dual  key.  A  self-dual 
key  is  a  key  with  the  property  that  when  you  encrypt  twice  with  this  key,  the  result  is  the 
initial  input.  Therefore,  the  result  is  the  same  as  encrypting  and  decrypting  with  the  same 
key.  Using  a  self-dual  key  allows  basis  vectors  to  be  presented  to  components  of  the  DEA 
to  validate  the  IUT’s  performance.  This  is  discussed  further  in  the  last  paragraph  of  this 
section. 

For  the  four  basic  modes  of  operation  (TECB,  TCBC,  TCFB,  and  TOFB),  the  input  block 
is  processed  through  the  DEA  three  times  —  first  in  the  encrypt  state  with  KEY1,  next  in 
the  decrypt  state  with  KEY2,  and  lastly,  in  the  encrypt  state  with  KEY3.  The  resulting 
output  block  is  used  in  the  calculation  of  the  ciphertext,  which  is  then  recorded. 

For  modes  of  operation  supporting  interleaving  and  pipelining  (TCBC-I,  TCFB-P,  TOFB- 
I),  it  is  assumed  that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed 
by  three  DES  processors.  Therefore,  three  input  blocks  are  processed  simultaneously 
through  the  three  DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in 
the  calculation  of  the  three  ciphertext  values.  The  formation  of  the  input  block  is 
dependent  upon  the  mode  of  operation  supported.  Note  that  the  design  of  the  TMOVS 
assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values  resulting 
from  the  first  two  DES  calls  are  never  revealed. 

Using  the  plaintext  and,  if  applicable,  the  IV’s  supplied  by  the  TMOVS,  the  IUT  runs  the 
TDES  for  64  cycles.  At  the  completion  of  the  64th  cycle,  all  results  are  verified  for 
correctness. 

This  test,  when  applied  to  an  IUT,  verifies  the  inverse  permutation  (IP1)  via  the  encrypt 
operation,  because  as  the  basis  vectors  are  recovered,  each  basis  vector  is  presented  to  the 
inverse  permutation  IP"1.  By  performing  the  decrypt  operation,  the  initial  permutation  IP 
and  the  expansion  matrix  E  are  verified  by  presenting  the  full  set  of  basis  vectors  to  them 
as  well. 


3.1. 1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process 

To  implement  the  Variable  Key  Known  Answer  Test  for  the  Encryption  Process,  the 
TMOVS  supplies  the  IUT  with  initial  values  for  the  three  keys,  the  plaintext(s),  and,  if 
applicable,  the  initialization  vector(s).  For  IUTs  supporting  the  interleaved  and  pipelined 
configurations  of  TDES,  three  initialization  vector  values  are  supplied  by  the  TMOVS. 

For  IUTs  supporting  the  TCBC-I  mode  of  operation,  an  initial  value  is  supplied  to  three 
plaintext  variables.  These  three  plaintext  variables  are  initialized  to  the  same  value.  The 
other  modes  of  operation  only  require  one  plaintext  variable. 

During  the  initialization  process,  the  plaintext  value(s)  and  the  initialization  vector  value(s) 
are  set  to  zero.  All  three  keys  for  each  round  are  initialized  to  a  56-bit  key  basis  vector 
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which  contains  a  "1"  in  the  ith  significant  position  and  "0"s  in  all  remaining  significant 
positions  of  the  keys,  i.e.,  KEY1  =  KEY2  =  KEY3.  (NOTE  —  the  parity  bits  are  not 
considered  as  significant  bits.  These  parity  bits  may  be  "l"s  or  "0"s  to  maintain  odd 
parity.) 

For  the  four  basic  modes  of  operation  (TECB,  TCBC,  TCFB,  and  TOFB),  the  input  block 
is  processed  through  the  DEA  three  times  —  first  in  the  encrypt  state  with  KEY1,  next  in 
the  decrypt  state  with  KEY2,  and  lastly,  in  the  encrypt  state  with  KEY3.  The  resulting 
output  block  is  used  in  the  calculation  of  the  ciphertext,  which  is  then  recorded. 

For  modes  of  operation  supporting  interleaving  and  pipelining  (TCBC-I,  TCFB-P,  TOFB- 
I),  it  is  assumed  that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed 
by  three  DES  processors.  Therefore,  three  input  blocks  are  processed  simultaneously 
through  the  three  DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in 
the  calculation  of  the  three  ciphertext  values.  The  formation  of  the  input  block  is 
dependent  upon  the  mode  of  operation  supported.  Note  that  the  design  of  the  TMOVS 
assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values  resulting 
from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  56  times,  using  the  56  key  basis  vectors  to  allow  for  every  possible 
vector  to  be  tested.  At  the  completion  of  the  56th  cycle,  all  results  are  verified  for 
correctness. 

When  this  test  is  performed  for  an  IUT,  the  56  possible  key  basis  vectors  which  yield 
unique  keys  are  presented  to  PCI,  verifying  the  key  permutation  PCI  via  the  encrypt 
operation.  Also,  during  the  encrypt  operation,  a  complete  set  of  key  basis  vectors  is 
presented  to  PC2  as  well,  so  PC2  is  verified. 

This  test  also  verifies  the  right  shifts  in  the  key  schedule  via  the  DES  decrypt  operation  as 
the  basis  vectors  are  recovered. 

3.1. 1.4  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption 

Process 

To  implement  the  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process, 
the  TMOVS  supplies  the  IUT  with  32  key  values.  The  TMOVS  also  supplies  initial 
values  for  the  plaintext(s)  and,  if  applicable,  the  initialization  vector(s).  For  IUTs 
supporting  the  interleaved  and  pipelined  configurations  of  TDES,  initial  values  for  three 
initialization  vectors  are  supplied  by  the  TMOVS.  For  IUTs  supporting  the  TCBC-I  mode 
of  operation,  an  initial  value  to  be  assigned  to  all  three  plaintext  values  is  supplied.  The 
other  modes  of  operation  only  require  one  plaintext  value.  During  the  initialization  of  a 
test,  the  plaintext  value(s)  and  the  first  (or  only)  initialization  vector  value  are  set  to  0, 
while  the  key  values  are  assigned  to  one  of  the  32  key  values  supplied  by  the  TMOVS. 
Note  that  KEY1=KEY2=KEY3.  If  more  than  one  initialization  vector  is  used  by  a  TDES 
mode  of  operation,  the  other  IVs  are  computed  according  to  specifications  in  Section  2. 
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For  the  four  basic  modes  of  operation  (TECB,  TCBC,  TCFB,  and  TOFB),  the  input  block 
is  processed  through  the  DEA  three  times  —  first  in  the  encrypt  state  with  KEY1,  next  in 
the  decrypt  state  with  KEY2,  and  lastly,  in  the  encrypt  state  with  KEY3.  The  resulting 
output  block  is  used  in  the  calculation  of  the  ciphertext,  which  is  then  recorded. 

For  modes  of  operation  supporting  interleaving  and  pipelining  (TCBC-I,  TCFB-P,  TOFB- 
I),  it  is  assumed  that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed 
by  three  DES  processors.  Therefore,  three  input  blocks  are  processed  simultaneously 
through  the  three  DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in 
the  calculation  of  the  three  ciphertext  values.  The  formation  of  the  input  block  is 
dependent  upon  the  mode  of  operation  supported.  Note  that  the  design  of  the  TMOVS 
assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values  resulting 
from  the  first  two  DES  calls  are  never  revealed. 

Each  of  the  32  key  values  supplied  by  the  TMOVS  is  tested.  At  the  completion  of  the  32nd 
cycle,  all  results  are  verified  for  correctness. 

The  32  key  values  used  in  this  test  present  a  complete  set  of  basis  vectors  to  the 
permutation  operator  P.  By  doing  so,  P  is  verified.  This  occurs  when  both  the  encrypt  and 
decrypt  operations  are  performed. 

3.1. 1.5  The  Substitution  Table  Known  Answer  Test  for  the  Encryption 

Process 

To  implement  the  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process,  the 
TMOVS  supplies  the  IUT  with  19  key-data  sets.  Depending  on  the  mode  of  operation 
implemented,  the  data  value  will  be  assigned  to  the  plaintext  or  to  the  initialization  vector 
variables.  For  IUTs  supporting  the  interleaved  and  pipelined  configurations  of  TDES, 
initial  values  for  three  initialization  vectors  are  also  supplied  by  the  TMOVS.  For  the 
TCBC-I  mode  of  operation,  initial  values  for  three  plaintext  variables  are  supplied  as  well. 
The  other  modes  of  operation  only  require  one  plaintext  variable.  During  initialization,  the 
plaintext  values  (or  the  initialization  vector  values,  depending  on  the  mode  of  operation 
supported),  and  the  key  values  are  initialized  to  one  of  the  19  key-data  sets  supplied  by  the 
TMOVS. 

For  the  four  basic  modes  of  operation  (TECB,  TCBC,  TCFB,  and  TOFB),  the  input  block 
is  processed  through  the  DEA  three  times  —  first  in  the  encrypt  state  with  KEY1,  next  in 
the  decrypt  state  with  KEY2,  and  lastly,  in  the  encrypt  state  with  KEY3.  The  resulting 
output  block  is  used  in  the  calculation  of  the  ciphertext,  which  is  then  recorded. 

For  modes  of  operation  supporting  interleaving  and  pipelining  (TCBC-I,  TCFB-P,  TOFB- 
I),  it  is  assumed  that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed 
by  three  DES  processors.  Therefore,  three  input  blocks  are  processed  simultaneously 
through  the  three  DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in 
the  calculation  of  the  three  ciphertext  values.  The  formation  of  the  input  block  is 
dependent  upon  the  mode  of  operation  supported.  Note  that  the  design  of  the  TMOVS 
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assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values  resulting 
from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  for  each  of  the  19  key-data  sets,  allowing  every  value  in  the  set  of  19 
key-data  sets  to  be  tested.  At  the  completion  of  the  19th  set,  all  results  are  verified  for 
correctness. 

The  set  of  19  key-data  sets  used  in  this  test  result  in  every  entry  of  all  eight  S-box 
substitution  tables  being  used  at  least  once  during  both  the  encrypt  and  decrypt  operations. 
Thus,  this  test  verifies  the  64  entries  in  each  of  the  eight  substitution  tables. 

3.1.2  The  Decryption  Process 

The  five  Known  Answer  tests  required  for  validation  of  IUTs  implementing  the  decryption 
process  of  the  TDEA  consist  of  the  Variable  Ciphertext  Known  Answer  Test,  the  Initial 
Permutation  Known  Answer  Test,  the  Variable  Key  Known  Answer  Test  for  the  Decryption 
Process,  the  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  and  the 
Substitution  Table  Known  Answer  Test  for  the  Decryption  Process.  These  tests  are  only 
performed  by  IUTs  that  support  the  TECB,  TCBC,  and  TCBC-I  modes  of  operation,  since  only 
these  modes  of  operation  utilize  the  three  DES  stages  in  reverse  order  during  the  decryption 
process.  The  TCFB,  TCFB-P,  TOFB,  and  TOFB-I  modes  of  operation  utilize  the  DES  calls  in  the 
same  order  used  in  the  encryption  process,  i.e.,  encrypt  with  KEY1,  decrypt  with  KEY2  and 
encrypt  with  KEY3.  Therefore,  these  modes  of  operation  should  be  tested  using  the  same  Known 
Answer  tests  used  for  IUTs  that  support  the  encryption  process. 

3.1.2.1  The  Variable  Ciphertext  Known  Answer  Test 

To  perform  the  Variable  Ciphertext  Known  Answer  Test,  the  TMOVS  supplies  the  IUT 
with  64  ciphertext  values.  These  values  are  obtained  from  the  results  of  the  Variable 
Plaintext  Known  Answer  Test  if  the  IUT  performs  both  encryption  and  decryption. 
Otherwise,  the  TMOVS  will  supply  the  IUT  with  the  ciphertext  values.  If  applicable,  the 
TMOVS  also  supplies  initial  values  for  the  initialization  vector(s).  For  IUTs  supporting 
the  interleaved  configuration  of  the  TCBC  mode  of  operation  (TCBC-I),  64  sets  of 
ciphertext  values  consisting  of  three  ciphertext  values  each  and  three  initialization  vectors 
are  supplied.  These  supplied  values  are  dependent  upon  the  mode  of  operation  being 
implemented.  The  keys  and  initialization  vectors  are  initialized  to  zero  for  each  test. 

For  the  TECB  and  TCBC  modes  of  operation,  the  value  of  the  ciphertext  is  used  directly 
as  the  input  block  of  data.  The  input  block  is  processed  through  the  DEA  three  times  — 
first  in  the  decrypt  state  with  KEY3,  next  in  the  encrypt  state  with  KEY2,  and  lastly,  in  the 
decrypt  state  with  KEY1.  The  resulting  output  block  is  used  in  the  calculation  of  the 
plaintext,  which  is  then  recorded. 

For  the  TCBC-I  mode  of  operation,  it  is  assumed  that  multiprocessing  is  possible,  i.e., 
each  block  of  input  data  is  processed  by  three  DES  processors.  Therefore,  three  input 
blocks  are  processed  simultaneously  through  the  three  DES  processors,  resulting  in  three 
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output  blocks  which  are  then  used  in  the  calculation  of  the  three  plaintext  values.  Note 
that  the  design  of  the  TMOVS  assumes  that,  for  security  reasons,  an  IUT  is  designed  so 
that  intermediate  values  resulting  from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  once  for  each  of  the  64  ciphertext  values.  If  the  64  resulting  plaintext 
values  form  the  set  of  basis  vectors,  it  can  be  assumed  that  all  of  the  operations  were 
performed  successfully. 

As  the  basis  vectors  are  recovered  via  the  decrypt  operation,  they  are  presented  to  the 
inverse  permutation  IP"1,  thus  verifying  it.  This  test  also  verifies  the  initial  permutation  IP 
and  the  expansion  matrix  E  via  the  encrypt  operation  by  presenting  a  full  set  of  basis 
vectors  to  these  components. 

3.1.2.2  The  Initial  Permutation  Known  Answer  Test 

To  perform  the  Initial  Permutation  Known  Answer  Test,  the  TMOVS  supplies  the  IUT 
with  initial  values  for  the  ciphertext,  the  keys,  and,  if  applicable,  the  initialization  vector(s). 
For  IUTs  supporting  the  TCBC-I  mode  of  operation,  three  ciphertext  values  and  three 
initialization  vector  values  are  supplied.  The  values  supplied  are  dependent  upon  the  mode 
of  operation  being  implemented.  The  ciphertext  value(s)  are  set  to  the  plaintext  result(s) 
obtained  from  the  Variable  Ciphertext  Known  Answer  Test. 

The  key  is  initialized  to  zero  (with  odd  parity  set).  This  key  is  a  self-dual  key.  A  self-dual 
key  is  a  key  with  the  property  that  when  you  decrypt  (or  encrypt)  twice  with  this  key,  the 
result  is  the  initial  input.  Therefore,  the  result  is  the  same  as  encrypting  and  decrypting 
with  the  same  key.  Using  a  self-dual  key  allows  basis  vectors  to  be  presented  to 
components  of  the  DEA  to  validate  the  IUT’s  performance.  This  is  discussed  further  in 
the  last  paragraph  of  this  section. 

For  the  TECB  and  TCBC  modes  of  operation,  the  values  of  the  ciphertext  are  used 
directly  as  the  input  block  of  data.  The  input  block  is  processed  through  the  DEA  three 
times  —  first  in  the  decrypt  state  with  KEY3,  next  in  the  encrypt  state  with  KEY2,  and 
lastly,  in  the  decrypt  state  with  KEY1.  The  resulting  output  block  is  used  in  the  calculation 
of  the  plaintext,  which  is  then  recorded. 

For  the  TCBC-I  mode  of  operation,  it  is  assumed  that  multiprocessing  is  possible,  i.e., 
each  block  of  input  data  is  processed  by  three  DES  processors.  Therefore,  three  input 
blocks  are  processed  simultaneously  through  the  three  DES  processors,  resulting  in  three 
output  blocks  which  are  then  used  in  the  calculation  of  the  three  plaintext  values.  The 
three  input  blocks  are  directly  assigned  the  values  of  the  three  ciphertext  values  for  each 
iteration.  Note  that  the  design  of  the  TMOVS  assumes  that,  for  security  reasons,  an  IUT 
is  designed  so  that  intermediate  values  resulting  from  the  first  two  DES  calls  are  never 
revealed. 

This  test  is  run  for  each  of  the  64  ciphertext  values.  At  the  completion  of  the  64th  cycle, 
all  results  are  verified  for  correctness. 
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This  test,  when  applied  to  an  IUT,  verifies  the  initial  permutation  IP  and  the  expansion 
matrix  E  via  the  decrypt  operation,  by  presenting  the  full  set  of  basis  vectors  to  these 
components.  Via  the  encrypt  operation,  this  test  also  verifies  the  inverse  permutation  (IP" 
')  as  the  basis  vectors  are  recovered  by  presenting  each  basis  vector  to  the  inverse 
permutation  IP'1. 

3.1.2.3  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process 

To  implement  the  Variable  Key  Known  Answer  Test  for  the  Decryption  Process,  the 
TMOVS  supplies  the  IUT  with  56  keys  or,  for  the  TCBC-I  mode  of  operation,  56  key  sets 
consisting  of  three  keys  each.  The  TMOVS  also  supplies  initial  values  for  the  initialization 
vector  values,  if  applicable. 

During  the  initialization  process,  the  ciphertext  value(s)  are  initialized  in  one  of  two  ways. 
If  the  IUT  supports  both  encryption  and  decryption,  the  values  resulting  from  the 
encryption  performed  in  the  Variable  Key  Known  Answer  Test  for  the  Encryption  Process 
will  be  used  to  initialize  the  ciphertext  values.  Otherwise,  the  TMOVS  will  supply  the 
ciphertext  values  along  with  the  information  discussed  in  the  previous  paragraph.  The 
initialization  vector  value(s)  are  set  to  zero  for  each  test.  All  three  keys  for  each  round  are 
initialized  to  a  56-bit  key  basis  vector  which  contains  a  "1"  in  the  ith  significant  position 
and  "0"s  in  all  remaining  significant  positions  of  the  keys,  i.e.,  KEY1=KEY2=KEY3. 
(NOTE  —  the  parity  bits  are  not  considered  as  significant  bits.  These  parity  bits  may  be 
"l"s  or  "0"s  to  maintain  odd  parity.) 

For  the  TECB  and  TCBC  modes  of  operation,  the  values  of  the  ciphertext  are  used 
directly  as  the  input  blocks  of  data.  The  input  blocks  are  processed  through  the  DEA  three 
times  —  first  in  the  decrypt  state  with  KEY3,  next  in  the  encrypt  state  with  KEY2,  and 
lastly,  in  the  decrypt  state  with  KEY1.  The  resulting  output  blocks  are  used  in  the 
calculation  of  the  plaintext  values,  which  are  then  recorded. 

For  the  interleaved  configuration  of  the  TCBC  mode  of  operation  (TCBC-I),  it  is  assumed 
that  multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed  by  three  DES 
processors.  Therefore,  three  input  blocks  are  processed  simultaneously  through  the  three 
DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in  the  calculation  of 
the  three  plaintext  values.  The  three  input  blocks  are  directly  assigned  the  values  of  the 
three  corresponding  ciphertext  values  for  each  iteration.  Note  that  the  design  of  the 
TMOVS  assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values 
resulting  from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  for  each  of  the  56  key  basis  vectors,  allowing  for  every  possible  key 
basis  vector  to  be  tested.  At  the  completion  of  the  56th  cycle,  all  results  are  verified  for 
correctness. 

This  test  verifies  the  right  shifts  in  the  key  schedule  via  the  DES  decrypt  operation  as  the 
basis  vectors  are  recovered. 
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During  the  encrypt  operation,  a  complete  set  of  basis  vectors  is  presented  to  the  key 
permutation,  PCI,  thus  verifying  PCI.  Since  the  key  schedule  consists  of  left  shifts,  a 
complete  set  of  basis  vectors  is  also  presented  to  PC2  verifying  PC2  as  well. 

3.1.2.4  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption 
Process 

To  implement  the  Permutation  Operation  Known  Answer  Test  for  the  Decryption 
Process,  the  TMOVS  supplies  the  IUT  with  32  key-data  sets,  consisting  of  an  initial  value 
for  the  three  keys  and  values  for  the  ciphertext.  The  TMOVS  also  supplies  initial  values 
for  the  initialization  vector(s),  if  applicable.  For  IUTs  supporting  the  TCBC-I  mode  of 
operation,  three  ciphertext  values  are  included  in  the  key-data  sets,  and  three  initialization 
vector  values  are  supplied  for  each  set.  The  values  for  the  key  and  ciphertext  are  supplied 
in  one  of  two  ways.  If  the  IUT  performs  both  encryption  and  decryption,  values  for  the 
key  and  ciphertext  resulting  from  the  encryption  performed  in  the  Permutation  Operation 
Known  Answer  Test  for  the  Encryption  Process  will  be  used.  Otherwise,  the  key  and 
ciphertext  values  will  be  supplied  by  the  TMOVS.  If  applicable,  the  initialization  vector 
will  be  set  to  zero  for  each  test. 

For  the  TECB  and  TCBC  modes  of  operation,  the  values  of  the  ciphertext  are  used 
directly  as  the  input  blocks  of  data.  The  input  blocks  are  processed  through  the  DEA  three 
times  —  first  in  the  decrypt  state  with  KEY3,  next  in  the  encrypt  state  with  KEY2,  and 
lastly,  in  the  decrypt  state  with  KEY1.  The  resulting  output  blocks  are  used  in  the 
calculation  of  the  plaintext  values,  which  are  then  recorded. 

For  the  TCBC  mode  of  operation  supporting  interleaving  (TCBC-I),  it  is  assumed  that 
multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed  by  three  DES 
processors.  Therefore,  three  input  blocks  are  processed  simultaneously  through  the  three 
DES  processors,  resulting  in  three  output  blocks  which  are  then  used  in  the  calculation  of 
the  three  plaintext  values.  The  three  input  blocks  are  directly  assigned  the  values  of  the 
three  corresponding  ciphertext  values  for  each  iteration.  Note  that  the  design  of  the 
TMOVS  assumes  that,  for  security  reasons,  an  IUT  is  designed  so  that  intermediate  values 
resulting  from  the  first  two  DES  calls  are  never  revealed. 

This  test  is  repeated  for  each  of  the  32  key-data  sets.  At  the  completion  of  the  32nd  set, 
the  results  of  each  of  the  32  tests  are  verified  to  be  zero. 

The  32  key  sets  used  in  this  test  present  a  complete  set  of  basis  vectors  to  the  permutation 
operator  P.  By  doing  so,  P  is  verified.  This  occurs  when  both  the  encrypt  and  decrypt 
operations  are  performed. 

3.1.2.5  The  Substitution  Table  Known  Answer  Test  for  the  Decryption 
Process 

To  implement  the  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process,  the 
TMOVS  supplies  the  IUT  with  19  key-data  sets  consisting  of  an  initial  value  for  the  three 
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keys  and  values  for  the  ciphertext.  The  TMOVS  also  supplies  initial  values  for  the 
initialization  vector,  if  applicable.  For  IUTs  supporting  the  TCBC-I  mode  of  operation, 
three  ciphertext  values  are  included  in  the  key-data  sets  and  three  initialization  vector 
values  are  supplied  for  each  set.  The  values  for  the  keys  and  the  ciphertext  value(s)  are 
supplied  in  one  of  two  ways.  If  the  IUT  performs  both  encryption  and  decryption,  the 
values  for  the  key  and  ciphertext  resulting  from  the  encryption  performed  in  the 
Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  will  be  used. 
Otherwise,  the  key  and  ciphertext  values  will  be  supplied  by  the  TMOVS.  If  applicable, 
the  initialization  vector  will  be  set  to  zero  for  each  test. 

For  the  TECB  and  TCBC  modes  of  operation,  the  values  of  the  ciphertext  are  used 
directly  as  the  input  blocks  of  data.  The  input  blocks  are  processed  through  the  DEA  three 
times  —  first  in  the  decrypt  state  with  KEY3,  next  in  the  encrypt  state  with  KEY2,  and 
lastly,  in  the  decrypt  state  with  KEY1.  The  resulting  output  blocks  are  used  in  the 
calculation  of  the  plaintext  blocks,  which  are  then  recorded. 

For  the  TCBC  mode  of  operation  supporting  interleaving  (TCBC-I),  it  is  assumed  that 
multiprocessing  is  possible,  i.e.,  each  block  of  input  data  is  processed  by  three  DES 
processors.  Therefore,  for  interleaved  modes  of  operation,  three  input  blocks  are 
processed  simultaneously  through  the  three  DES  processors,  resulting  in  three  output 
blocks  which  are  then  used  in  the  calculation  of  the  three  plaintext  values.  The  three  input 
blocks  are  directly  assigned  the  values  of  the  three  corresponding  ciphertext  values  for 
each  iteration.  Note  that  the  design  of  the  TMOVS  assumes  that,  for  security  reasons,  an 
IUT  is  designed  so  that  intermediate  values  resulting  from  the  first  two  DES  calls  are 
never  revealed. 

This  test  is  repeated  for  each  of  the  19  key-data  sets  allowing  for  the  set  of  19  key-data 
sets  to  be  processed.  At  the  completion  of  the  19th  set,  all  results  are  verified  for 
correctness. 

The  set  of  19  key-data  sets  used  in  this  test  result  in  every  entry  of  all  eight  S-box 
substitution  tables  being  used  at  least  once  during  both  the  encrypt  and  decrypt  operations. 
Thus,  this  test  verifies  the  64  entries  in  each  of  the  eight  substitution  tables. 

The  Monte  Carlo  Test 

The  Monte  Carlo  Test  is  the  second  type  of  validation  test  required  to  validate  IUTs.  The  Monte 
Carlo  Test  is  based  on  the  Monte-Carlo  test  discussed  in  Special  Publication  500-20.  It  is 
designed  to  exercise  the  entire  implementation  of  the  TDEA,  as  opposed  to  testing  only  the 
individual  components.  The  purpose  of  the  Monte  Carlo  Test  is  to  detect  the  presence  of  flaws  in 
the  IUT  that  were  not  detected  with  the  controlled  input  of  the  Known  Answer  tests.  Such  flaws 
may  include  pointer  problems,  errors  in  the  allocation  of  space,  improper  error  handling,  and 
incorrect  behavior  of  the  TDEA  implementation  when  random  values  are  introduced.  The  Monte 
Carlo  Test  does  not  guarantee  ultimate  reliability  of  the  IUT  that  implements  the  TDEA  (i.e., 
hardware  failure,  software  corruption,  etc.). 
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The  TMOVS  supplies  the  IUT  with  initial  input  values  for  the  keys,  the  plaintext(s)  (or 
ciphertext(s)),  and,  if  applicable,  initialization  vector(s).  The  Monte  Carlo  Test  is  then  performed 
(as  described  in  the  following  paragraph),  and  the  resulting  ciphertext  (or  plaintext)  values  are 
recorded  and  compared  to  expected  values.  If  an  error  is  detected,  the  erroneous  result  is 
recorded,  and  the  test  terminates  abnormally.  Otherwise,  the  test  continues.  If  the  IUT's  results 
are  correct,  the  Monte  Carlo  Test  for  the  IUT  ends  successfully. 

Each  Monte  Carlo  Test  consists  of  four  million  cycles  through  the  TDEA  implemented  in  the 
IUT.  These  cycles  are  divided  into  four  hundred  groups  of  10,000  iterations  each.  Each  iteration 
consists  of  processing  an  input  block  through  three  operations  of  the  DEA  resulting  in  an  output 
block.  For  IUTs  of  the  encryption  process,  the  three  DES  operations  are  encrypted  with  KEY1, 
decrypted  with  KEY2,  and  encrypted  with  KEY3.  For  IUTs  of  the  decryption  process,  the  three 
DES  operations  are  decrypted  with  KEY3,  encrypted  with  KEY2,  and  decrypted  with  KEY1.  At 
the  10,000th  cycle  in  an  iteration,  new  values  are  assigned  to  the  variables  needed  for  the  next 
iteration.  The  results  of  each  10,000th  encryption  or  decryption  cycle  are  recorded  and  evaluated 
as  specified  in  the  preceding  paragraph. 
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4. 


BASIC  PROTOCOL 


4.1  Overview 

Input  and  output  messages  used  to  convey  information  between  the  TMOVS  and  the  IUT  consist 
of  specific  fields.  The  format  of  these  input  and  output  messages  is  beyond  the  scope  of  this 
document,  and  the  testing  laboratories  have  the  option  to  determine  the  specific  formats  of  those 
messages.  However,  the  results  sent  to  NIST  must  include  certain  minimum  information,  which  is 
specified  in  Section  4.4  Output  Types. 

A  separate  message  should  be  created  for  each  mode  of  operation  supported  by  an  IUT.  The 
information  should  indicate  the  algorithm  used  (Triple  DES),  the  mode  of  operation  (TECB, 
TCBC,  TCBC-I,  TCFB -including  feedback  amounts,  TCFB-P- including  feedback  amounts, 
TOFB,  TOFB-I),  the  cryptographic  process  supported  (encryption  and/or  decryption),  the  test 
being  performed  (one  of  the  various  Known  Answer  tests,  or  the  Monte  Carlo  Tests),  and  the 
required  data  fields.  The  required  data  may  consist  of  counts,  keys,  initialization  vectors,  and  data 
representing  plaintext  or  ciphertext.  Every  field  in  an  output  message  should  be  clearly  labeled  to 
indicate  its  contents  -  this  is  especially  important  for  NIST  to  be  able  to  ensure  that  test  results  are 
complete. 

4.1.1  Conventions 

The  following  conventions  should  be  used  in  the  data  portion  of  messages  between  the  TMOVS 
and  the  IUT:  (See  Section  4.1.2  for  these  notations.) 

1.  Integers:  integers  should  be  unsigned  and  should  be  represented  in  decimal  notation. 

2.  Hexadecimal  strings:  should  consist  of  ASCII  hexadecimal  characters.  The  ASCII 
hexadecimal  characters  to  be  used  should  consist  of  the  ASCII  characters  0-9  and  A-F  (or 
a-f),  which  represent  4-bit  binary  values. 

3.  Characters:  the  characters  to  be  represented  are  A-Z  (or  a-z),  0-9,  and  underscore  (_). 

4.1.2  Message  Data  Types 

The  following  data  types  should  be  used  in  messages  between  the  TMOVS  and  the  IUT: 

1 .  Decimal  integers:  a  decimal  integer  should  have  the  form 

ddd  ...  dd 

where  each  “d”  represents  a  decimal  character  (0-9);  one  or  more  characters 
should  be  present.  The  characters  must  be  contiguous. 

2.  Hexadecimal  strings:  a  hexadecimal  string  should  have  the  form 

hhh  ...  hh 
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where  each  “h”  should  represent  an  ASCII  character  0-9  or  A-F  (or  a-f).  Each  “h” 
represents  a  4-bit  binary  value. 

3.  Characters:  an  ASCII  character  should  have  the  form 

c 

where  “c”  represents  an  ASCII  character  A-Z  (or  a-z),  0-9,  or  underscore  (_). 

4.2  Message  Contents 

The  information  included  in  a  message  consists  of  the  following: 

Algorithm  -  Triple  DES, 

Mode  -  selections  consist  of  TECB,  TCBC,  TCBC-I,  TCFB-including  feedback  amounts,  TCFB- 
P-including  feedback  amounts,  TOFB,  TOFB-I 

Process  -  selections  consist  of  ENCRYPT  or  DECRYPT, 

Test  -  selections  consist  of: 

VTEXT  for  Variable  Plaintext/Ciphertext  Known  Answer  Test 
VKEY  for  Variable  KEY  Known  Answer  Test 
INVPERM  for  Inverse  Permutation  Known  Answer  Test 
INITPERM  for  Initial  Permutation  Known  Answer  Test 
PERM  for  Permutation  Operation  Known  Answer  Test 
SUB  for  Substitution  Table  Known  Answer  Test 
MODES  for  Monte  Carlo  Test 
Input/Output  Data 

The  contents  of  the  input/output  data  included  in  a  message  depend  on  the  algorithm,  mode, 
process,  and  test  being  performed.  These  different  combinations  of  data  have  been  organized  into 
input  types  and  output  types.  The  input  types  are  used  by  the  TMOVS  to  supply  data  to  the  IUT 
for  testing.  The  output  types  are  used  by  the  IUT  to  supply  results  from  the  tests  to  the  TMOVS, 
and  eventually  to  NIST. 

4.3  Input  Types 

Twenty-five  different  combinations  of  input  data  are  used  by  the  TMOVS  to  support  the  various 
Known  Answer  tests  and  Monte  Carlo  tests. 
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4.3.1  Input  Type  1 

Input  Type  1  consists  of: 

KEY  and  DATA 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3;  and 

DATA  is  a  16  character  ASCII  hexadecimal  string  representing  plaintext  if  the  encryption  process 
is  being  tested,  or  ciphertext  if  the  decryption  process  is  being  tested. 

4.3.2  Input  Type  2 

Input  Type  2  consists  of: 

KEY,  IV,  and  DATA 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector;  and 

DATA  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if 
the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested. 

4.3.3  Input  Type  3 

Input  Type  3  consists  of: 


KEY,  n,  DATAj,  DAT A2, . . . ,D AT A„ 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

n  is  an  integer  which  indicates  the  number  of  ciphertext  (C)  values  to  follow;  and 

each  DATA,,  is  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string.  This 
field  should  provide  plaintext  if  the  encryption  process  is  being  tested,  or  ciphertext  if  the 
decryption  process  is  being  tested. 
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4.3.4  Input  Type  4 

Input  Type  4  consists  of: 


KEY 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3. 

4.3.5  Input  Type  5 

Input  Type  5  consists  of: 


KEY,  IV,  n,  TEXTi,  TEXT2,...,TEXT„ 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

n  is  an  integer  which  indicates  the  number  of  TEXT  values  to  follow;  and 

each  TEXT,,  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  TEXT  represents 
P,  C,  or  RESULT. 

4.3.6  Input  Type  6 

Input  Type  6  consists  of: 

KEY  and  IV 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3;  and 

IV  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector. 

4.3.7  Input  Type  7 
Input  Type  7  consists  of 

P,  KEY,,  KEY2,...,KEY32 
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where  P  is  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string;  and 

each  KEY,,  where  i=l  to  32,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3. 

4.3.8  Input  Type  8 

Input  Type  8  consists  of: 


TEXT,IV,KEY1,KEY2,...,KEY32 

where  TEXT  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  (NOTE  —  TEXT 
may  be  referred  to  as  plaintext  or  text.); 

IV  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector;  and 

each  KEY,,  where  i=l  to  32,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3. 

4.3.9  Input  Type  9 

Input  Type  9  supplies  n  key/input  block  pairs.  It  consists  of: 


n  ,P  AIR  i  ,P  AIR2 , . . .  ,P  AIR,, 

In  this  input  type,  the  integer  n  indicates  the  number  of  KEY  values  to  follow.  Each  PAIR, 
consists  of: 

KEY,  and  TEXT, 

where  each  KEY,,  where  i=l  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3;  and 

each  TEXT,,  for  i  =  1  to  n,  is  a  16  character  ASCII  hexadecimal  string  representing  either 
plaintext  or  ciphertext. 

4.3.10  Input  Type  10 

Input  Type  10  consists  of: 

n,  KEYb  KEY2,...,KEY„ 
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where  n  is  an  integer  which  indicates  the  number  of  KEY  values  to  follow;  and 

each  KEY,,  where  i=  1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3; 

4.3.11  Input  Type  11 

Input  Type  11  consists  of: 


INITVAL,  n,  PAIR,,  PAIR2,...,PAIR„ 

where  INITVAL  is  a  16  character  ASCII  hexadecimal  string  representing  either  the  64-bit  IV  or 
the  TEXT,  depending  on  the  mode  of  operation  implemented  by  the  IUT.  (NOTE  —  The  TEXT 
may  be  referred  to  as  plaintext,  ciphertext,  or  text.); 

n  is  an  integer,  which  indicates  the  number  of  KEY/INPUT  PAIRs  to  follow. 

Each  PAIR,  consists  of: 


KEY,  and  I, 


where  each  KEY,,  where  (=1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY  1,  KEY2,  and  KEY3;  and 

each  I,  is  a  16  character  ASCII  hexadecimal  string  representing  either  the  64-bit  IV,  P  or  C, 
depending  on  the  mode  of  operation  implemented. 

4.3.12  Input  Type  12 

Input  Type  12  consists  of: 


INITVAL,  n,  KEY,,  KEY2,..„  KEY,, 

where  INITVAL  is  a  16  character  ASCII  hexadecimal  string  representing  either  the  64-bit  IV  or 
the  64-bit  TEXT  depending  on  the  mode  of  operation  implemented  by  the  IUT.  (NOTE  —  The 
TEXT  may  be  referred  to  as  ciphertext.); 

n  is  an  integer  which  indicates  the  number  of  KEYS  to  follow;  and 

each  KEY,,  where  (=1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3. 
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4.3.13  Input  Type  13 

Input  Type  13  consists  of: 

KEY,  IV 1,  IV2,  IV3,  DATA 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  IC  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 
and 

DATA  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if 
the  encrypt  process  is  being  tested,  ciphertext  if  the  decrypt  process  is  being  tested,  or  TEXT  for 
TCFB-P  mode.  DATA  may  represent  the  value  of  DATA1,  DATA2  and  DATA3  for  Interleaved 
modes  of  operation. 

4.3.14  Input  Type  14 

Input  Type  14  consists  of: 

KEY,  IV 1,  IV2,  IV3 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2=  AAAAAAAAAAAAAAAA; 

4.3.15  Input  Type  15 

Input  Type  15  consists  of: 

KEY,  IV1,  IV2,  IV3,  n,  TEXTli,...,TEXTl„,  TEXT2 1, . . . ,TEXT2„,  TEXT3i,...,TEXT3„ 
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where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

/ 1  is  an  integer,  which  indicates  the  number  of  TEXT  Is,  TEXT2s,  and  TEXT3s  to  follow; 

each  TEXT1,,  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  TEXT1 
represents  P,  C,  or  RESULT; 

each  TEXT2,,  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  TEXT2 
represents  P,  C,  or  RESULT;  and 

each  TEXT3,,  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  TEXT3 
represents  P,  C,  or  RESULT. 

4.3.16  Input  Type  16 

Input  Type  16  consists  of: 


IV1,  IV2,  IV3, 77, KEY i,  KEY2,...,KEY„ 

where  IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

n  is  an  integer  which  indicates  the  number  of  KEY  values  to  follow;  and 

each  KEY,,  where  7=1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3; 

4.3.17  Input  Type  17 

Input  Type  17  consists  of: 

IV 1,  IV2,  IV3, 77,  GROUPi,  GROUP2,...,  GROUP,, 
where  IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 
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IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 
n  is  an  integer,  which  indicates  the  number  of  KEY/INPUT  GROUPS  to  follow. 

Each  GROUP,  consists  of: 


KEY,,  TEXT1,,  TEXT2,,  and  TEXT3, 


where  each  KEY,,  where  i=  1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY  1,  KEY2,  and  KEY3;  and 

each  TEXT1,,  TEXT2,,  and  TEXT3,  is  a  16  character  ASCII  hexadecimal  string  representing  the 
64-bit  Cl,  C2,  and  C3  respectively. 

4.3.18  Input  Type  18 

Input  Type  1 8  consists  of 


TEXT,  IV1,  IV2,  IV3,  KEYb  KEY2,...,KEY32 

Where  TEXT  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string.  TEXT  may 
represent  P  or  TEXT  depending  on  the  mode  of  operation  being  implemented; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri=  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2=  AAAAAAAAAAAAAAAA;  and 

each  KEY,,  where  i=l  to  32,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3. 

4.3.19  Input  Type  19 

Input  Type  19  consists  of: 


IV1,  IV2,  IV3,  n,  PAIR!,  PAIR2,..„  PAIR,, 

where  IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 
IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 


34 


IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

/ 1  is  an  integer  which  indicates  the  number  of  KEY/INPUT  PAIRs  to  follow. 

Each  PAIR,  consists  of: 

KEY,  and  TEXT, 

where  each  KEY,,  where  7=1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3;  and 

each  TEXT,  is  a  16  character  ASCII  hexadecimal  string.  TEXT  may  represent  the  64-bit  TEXT1, 
TEXT2,  and  TEXT3  values,  or  the  IV 1  value  depending  on  the  mode  of  operation  implemented. 

4.3.20  Input  Type  20 

Input  Type  20  consists  of: 

KEY1,  KEY2,  KEY3,  DATA 

where  KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity;  and 

DATA  is  a  16  character  ASCII  hexadecimal  string  representing  plaintext  if  the  encryption  process 
is  being  tested,  or  ciphertext  if  the  decryption  process  is  being  tested. 

4.3.21  Input  Type  21 

Input  Type  21  consists  of: 

KEY1,  KEY2,  KEY3,  IV,  and  DATA 

where  KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.; 

IV  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector;  and 

DATA  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if 
the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested. 

4.3.22  Input  Type  22 

Input  Type  22  consists  of: 
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KEY1,  KEY2,  KEY3,  IV1,  IV2,  IV3,  TEXT1,  TEXT2,  and  TEXT3 


where  KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

TEXT1  is  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string  representing 
plaintext  if  the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested; 

TEXT2  is  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string  representing 
plaintext  if  the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested; 
and 

TEXT3  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if 
the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested. 

4.3.23  Input  Type  23 

Input  Type  23  consists  of: 


KEY,  IV1,  IV2,  IV3,  n,  TEXT^.-YEXT,, 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2=  AAAAAAAAAAAAAAAA; 

n  is  an  integer  which  indicates  the  number  of  TEXT  values  to  follow;  and 

each  TEXT,,  is  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string. 
TEXT1  represents  P,  C,  or  RESULT; 


4.3.24  Input  Type  24 

Input  Type  24  consists  of: 
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KEY1,  KEY2,  KEY3,  IV1,  IV2,  IV3,  and  TEXT 


where  KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA;  and 

TEXT  is  1  to  64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if 
the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested. 

4.3.25  Input  Type  25 

Input  Type  25  consists  of: 


TEXT,  n,  GROUPi,  GROUP2,..„  GROUP,, 

where  TEXT  is  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal  string 
representing  plaintext  if  the  encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is 
being  tested; 

n  is  an  integer  which  indicates  the  number  of  KEY/IV1/IV2/IV3  groups  to  follow. 

Each  GROUP,  consists  of: 


KEY,,  IV  1„  IV2„  and  IV3, 


where  each  KEY,,  where  i=  1  to  n,  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits 
per  hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents 
the  value  of  KEY1,  KEY2,  and  KEY3; 

IV 1,  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2,  is  assigned  the  value  of  IV1  +  Ri  mod  264,  where  Ri  =  5555555555555555;  and 
IV3,  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA. 

4.4  Output  Types 

Eight  different  combinations  of  output  data  are  used  by  the  TMOVS  to  support  the  various 
Known  Answer  tests  and  Monte  Carlo  tests. 
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4.4.1  Output  Type  1 

Output  Type  1  consists  of: 

COUNT,  KEY,  DATA,  and  RESULT 

where  COUNT  is  an  integer  between  1  and  64,  i.e.,  0  <  COUNT  <=  64,  representing  the  output 
line; 

KEY  should  be  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

DATA  is  a  16  character  hexadecimal  string  representing  plaintext  if  the  encrypt  process  is  being 
tested  or  ciphertext  if  the  decrypt  process  is  being  tested;  and 

RESULT  is  a  16  character  hexadecimal  string  indicating  the  resulting  value.  Depending  on  the 
process  of  the  IUT  being  tested,  the  resulting  value  represents  ciphertext  (if  encrypting)  or 
plaintext  (if  decrypting). 

4.4.2  Output  Type  2 

Output  Type  2  consists  of: 

COUNT,  KEY,  CV,  DATA,  and  RESULT 

where  COUNT  is  an  integer  between  1  and  64,  i.e.,  0  <  COUNT  <=  64,  representing  the  output 
line; 

where  KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal 
character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For 
consistency  purposes,  the  DES  keys  should  be  presented  in  odd  parity.  KEY  represents  the  value 
of  KEY1,  KEY2,  and  KEY3; 

CV  is  a  16  character  ASCII  hexadecimal  string; 

DATA  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if  the 
encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested.;  and 

RESULT  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  indicating  the  resulting 
value.  Depending  on  the  process  of  the  IUT  being  tested,  the  resulting  value  may  be  ciphertext  (if 
encrypting)  or  plaintext  (if  decrypting). 

4.4.3  Output  Type  3 

Output  Type  3  consists  of: 
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COUNT,  KEY,  IV1,  IV2,  IV3,  DATA1,  DATA2,  DATA3,  RESULT  1,  RESULT2, 
RESULT3 


where  COUNT  is  an  integer  between  1  and  64,  i.e.,  0  <  COUNT  <=  64,  representing  the  output 
line; 

KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal  character).  The 
8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes, 
the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value  of  KEY1,  KEY2,  and 
KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

DATA1,  DATA2,  and  DATA3  are  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  strings 
representing  values  of  plaintext  PI,  P2,  and  P3  or  input  blocks  II,  12,  and  13  respectively,  if  the 
encrypt  process  is  being  tested,  or  values  of  ciphertext  for  Cl,  C2,  and  C3  if  the  decrypt  process 
is  being  tested; 

RESULT1,  RESULT2,  and  RESULT3  are  1-64  binary  bits  represented  as  an  ASCII  hexadecimal 
strings  indicating  the  resulting  values  corresponding  to  either  Cl,  C2,  and  C3  or  PI,  P2,  and  P3. 
Depending  on  the  process  of  the  IUT  being  tested,  the  resulting  value  may  be  ciphertext  (if 
encrypting)  or  plaintext  (if  decrypting). 

4.4.4  Output  Type  4 

Output  Type  4  consists  of: 

COUNT,  KEY1,  KEY2,  KEY3,  CV1,  CV2,  CV3,  DATA1,  DATA2,  DATA3, 

RESULT  1,  RESULT2,  RESULT3 

where  COUNT  is  an  integer  between  1  and  64,  i.e.,  0  <  COUNT  <=  64,  representing  the  output 
line; 

where  KEY1,  KEY2,  and  KEY3  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  keys  should  be  presented  in  odd  parity.; 

CV1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

CV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

CV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 
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DATA1,  DATA2,  and  DATA3  are  16  character  hexadecimal  strings  representing  values  of 
plaintext  for  PI,  P2,  and  P3  respectively,  if  the  encrypt  process  is  being  tested,  or  values  of 
ciphertext  for  Cl,  C2,  and  C3  if  the  decrypt  process  is  being  tested; 

RESULT1,  RESULT2,  and  RESULT3  are  16  character  hexadecimal  strings  indicating  the 
resulting  values  corresponding  to  either  Cl,  C2,  and  C3  or  PI,  P2,  and  P3.  Depending  on  the 
process  of  the  IUT  being  tested,  the  resulting  value  may  be  ciphertext  (if  encrypting)  or  plaintext 
(if  decrypting). 

4.4.5  Output  Type  5 

Output  Type  5  consists  of: 

COUNT,  KEY1,  KEY2,  KEY3,  DATA,  and  RESULT 

where  COUNT  is  an  integer  between  1  and  400,  i.e.,  0  <  COUNT  <=  400,  representing  the 
output  line; 

KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  keys  should  be  presented  in  odd  parity.; 

DATA  is  a  16  character  hexadecimal  string  representing  plaintext  if  the  encrypt  process  is  being 
tested,  or  ciphertext  if  the  decrypt  process  is  being  tested;  and 

RESULT  is  a  16  character  hexadecimal  string  indicating  the  resulting  value.  Depending  on  the 
process  of  the  IUT  being  tested,  the  resulting  value  represents  ciphertext  (if  encrypting)  or 
plaintext  (if  decrypting). 

4.4.6  Output  Type  6 

Output  Type  6  consists  of: 

COUNT,  KEY1,  KEY2,  KEY3,  CV,  DATA,  and  RESULT 

where  COUNT  is  an  integer  between  1  and  400,  i.e.,  0  <  COUNT  <=  400,  representing  the 
output  line; 

KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  keys  should  be  presented  in  odd  parity.; 

CV  is  a  16  character  ASCII  hexadecimal  string  representing  IV  or  I  depending  on  the  mode 
implemented; 

DATA  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if  the 
encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested;  and 
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RESULT  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  indicating  the  resulting 
value.  Depending  on  the  process  of  the  IUT  being  tested,  the  resulting  value  should  represent 
ciphertext  (if  encrypting)  or  plaintext  (if  decrypting). 

4.4.7  Output  Type  7 

Output  Type  7  consists  of: 

COUNT,  KEY,  IV1,  IV2,  IV3,  DATA,  RESULT  1,  RESULT2,  RESULT3 

where  COUNT  is  an  integer  between  1  and  64,  i.e.,  0  <  COUNT  <=  64,  representing  the  output 
line; 

KEY  is  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per  hexadecimal  character).  The 
8  parity  bits  should  be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes, 
the  DES  key  should  be  presented  in  odd  parity.  KEY  represents  the  value  of  KEY1,  KEY2,  and 
KEY3; 

IV 1  is  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit  initialization  vector; 

IV2  is  assigned  the  value  of  IV 1  +  Ri  mod  264,  where  Ri  =  5555555555555555; 

IV3  is  assigned  the  value  of  IV 1  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

DATA  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  the  value  of 
the  plaintext  if  the  encrypt  process  is  being  tested,  or  the  value  of  the  ciphertext  if  the  decrypt 
process  is  being  tested;  and 

RESULT1,  RESULT2,  and  RESULT3  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal 
string  indicating  the  resulting  values,  which  may  be  ciphertext  (if  encrypting),  or  plaintext  (if 
decrypting). 

4.4.8  Output  Type  8 

Output  Type  8  consists  of: 

COUNT,  KEY1,  KEY2,  KEY3,  II,  12, 13,  DATA,  and  RESULT 

where  COUNT  is  an  integer  between  1  and  400,  i.e.,  0  <  COUNT  <=  400,  representing  the 
output  line; 

KEY1,  KEY2,  and  KEY3  are  represented  as  64  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  The  8  parity  bits  should  be  present  but  ignored,  yielding  56  significant 
bits.  For  consistency  purposes,  the  DES  keys  should  be  presented  in  odd  parity; 

11  is  a  16  character  ASCII  hexadecimal  string  representing  IV  or  I; 

12  is  assigned  the  value  of  II  +  Ri  mod  264,  where  Ri  =  5555555555555555; 
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13  is  assigned  the  value  of  II  +  R2  mod  264,  where  R2  =  AAAAAAAAAAAAAAAA; 

DATA  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  representing  plaintext  if  the 
encrypt  process  is  being  tested  or  ciphertext  if  the  decrypt  process  is  being  tested;  and 

RESULT  is  1-64  binary  bits  represented  as  an  ASCII  hexadecimal  string  indicating  the  resulting 
value.  Depending  on  the  process  of  the  IUT  being  tested,  the  resulting  value  should  represent 
ciphertext  (if  encrypting)  or  plaintext  (if  decrypting). 
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5.  TESTS  REQUIRED  TO  VALIDATE  AN  IMPLEMENTATION 

OF  THE  TRIPLE  DES  ALGORITHM 

The  validation  of  IUTs  of  the  Triple  DES  algorithm  (TDEA)  should  require  the  successful 
completion  of  an  applicable  set  of  Known  Answer  tests  and  the  appropriate  Monte  Carlo  tests. 
The  tests  required  for  validation  of  an  IUT  should  be  determined  by  several  factors.  These  include 
the  mode(s)  of  operation  supported  (TECB,  TCBC,  TCBC-I,  TCFB,  TCFB-P,  TOFB,  TOFB-I), 
the  keying  option  used,  and  the  allowed  cryptographic  processes  (encryption,  decryption,  both). 

A  separate  set  of  Known  Answer  tests  has  been  designed  for  use  with  each  of  the  seven  modes  of 
TDES.  Within  these  sets  of  tests  are  separate  subsets  of  tests  corresponding  to  the  encryption  and 
decryption  processes.  If  an  IUT  implements  multiple  modes  of  operation,  the  set  of  Known 
Answer  tests  corresponding  to  each  supported  mode  of  operation  should  be  tested. 

The  Monte  Carlo  tests  have  been  designed  for  use  with  each  of  the  seven  modes  of  TDES.  For 
the  TECB,  TCBC,  TCBC-I,  TCFB,  and  TCFB-P  modes  of  operation,  there  are  two  tests 
associated  with  each:  one  to  be  used  for  IUTs  allowing  the  encryption  process,  and  the  other  to 
be  used  for  IUTs  allowing  the  decryption  process.  If  both  the  encryption  and  decryption  processes 
are  allowed  by  an  IUT,  both  tests  are  required.  The  TOFB  and  TOFB-I  modes  of  operation  only 
require  one  Monte  Carlo  test,  which  is  designed  for  use  with  both  the  encryption  and  decryption 
processes  of  an  IUT.  For  example,  if  an  IUT  implements  the  TCBC  mode  of  operation  in  both  the 
encryption  and  decryption  processes,  the  Monte  Carlo  Test  for  the  encryption  process  and  the 
Monte  Carlo  Test  for  the  decryption  process  of  the  TCBC  mode  of  operation  should  be 
successfully  completed  to  validate  the  IUT.  If  an  IUT  implements  both  the  encryption  and 
decryption  processes  of  the  TCFB-P  mode  of  operation,  the  Monte  Carlo  Test  for  the  encryption 
process  and  the  Monte  Carlo  Test  for  the  decryption  process  of  the  TCFB-P  mode  of  operation 
should  be  successfully  completed  to  validate  the  IUT.  If  an  IUT  implements  both  the  encryption 
and  decryption  processes  of  the  TOFB  mode  of  operation,  the  Monte  Carlo  Test  for  the  TOFB 
mode  of  operation  should  be  successfully  completed  to  validate  the  IUT. 

If  an  IUT  supports  more  than  one  mode  of  operation,  the  Monte  Carlo  Test  corresponding  to 
each  supported  mode  should  be  performed  successfully.  For  example,  if  an  IUT  implements  the 
TECB  and  TCBC  modes  of  operation  in  the  encryption  process,  the  Monte  Carlo  Test  for  the 
encryption  process  of  both  the  TECB  and  the  TCBC  modes  of  operation  should  be  successfully 
completed  to  validate  the  IUT. 

If  an  IUT  supports  the  3-key  keying  option,  where  KEY1,  KEY2  and  KEY3  are  independent,  the 
Monte  Carlo  Test  should  be  successfully  completed  three  times  -  once  where  the  three  keys  are 
independent,  once  where  KEY1  and  KEY2  are  independent  and  KEY3  =  KEY1,  and  once  where 
KEY1  =  KEY2  =  KEY3  -  to  validate  the  IUT.  If  an  IUT  supports  the  2-key  keying  option, 
where  KEY1  and  KEY2  are  independent  and  KEY3  =  KEY1,  the  Monte  Carlo  Test  should  be 
successfully  completed  two  times  -  once  where  KEY1  and  KEY2  are  independent  and  KEY3  = 
KEY1,  and  once  where  KEY1  =  KEY2  =  KEY3  -  to  validate  the  IUT.  If  an  IUT  only  supports 
the  1-key  keying  option,  where  KEY1=KEY2=KEY3,  the  Monte  Carlo  Test  should  be 
successfully  completed  once  with  all  the  keys  being  equal  to  validate  the  IUT. 
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The  tests  required  to  successfully  validate  IUTs  are  detailed  in  the  following  sections.  These 
sections  are  categorized  by  mode  of  operation.  Within  each  mode  of  operation,  the  tests  are 
divided  into  tests  to  use  with  the  encryption  process  and  tests  to  use  with  the  decryption  process. 
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5.1  TDEA  Electronic  Codebook  (TECB)  Mode 

The  IUTs  which  implement  the  TDES  Electronic  Codebook  (TECB)  mode  should  be  validated  by 
the  successful  completion  of  a  series  of  Known  Answer  tests  and  Monte  Carlo  tests 
corresponding  to  the  cryptographic  processes  allowed  by  the  IUT. 

5.1.1  Encryption  Process 

The  process  of  validating  an  IUT  which  implements  the  TECB  mode  of  operation  for  the 
encryption  process  should  involve  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Plaintext  Known  Answer  Test  -  TECB  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  TECB  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TECB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  TECB 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  TECB  mode 

6.  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TECB  mode 
An  explanation  of  the  tests  follows. 


45 


5.1. 1.1  The  Variable  Plaintext  Known  Answer  Test  -  TECB  Mode 


Table  1  The  Variable  Plaintext  Known  Answer  Test  -  TECB  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

Pi  =  8000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  KEY3),  Pi 

IUT:  FOR  i  =  1  to  64 

{ 


Perform 
Triple  DES: 


} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 
See  Table  A.l. 


Ii  =  Pi 

h  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  P„  C, 

Pi+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 


Table  1  illustrates  the  Variable  Plaintext  Known  Answer  Test  for  the  TECB  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  plaintext  Pi  to  the  basis  vector  containing  a'T"  in  the  first  bit 
position  and  "0"  in  the  following  63  positions,  i.e.,  Pi  bin  =  10000000  00000000 
00000000  00000000  00000000  00000000  00000000  00000000.  The  equivalent  of 
this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 
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c.  Forwards  this  information  to  the  IUT  using  Input  Type  1. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Set  the  input  block  I,  equal  to  the  value  of  P,. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  ciphertext  Q.  This  involves 
processing  I,  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state 
using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,  resulting 
in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage, 
denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (where  KEY  represents  the 
value  of  KEY1,  KEY2,  and  KEY3),  Pi,  and  the  resulting  Cj  to  the  TMOVS  as 
specified  in  Output  Type  1. 

d.  Retain  Cj  for  use  with  the  Inverse  Permutation  Known  Answer  Test  for  the  TECB 
Mode  (Section  5. 1.1. 2  ),  and,  if  the  IUT  supports  the  decryption  process,  for  use 
with  the  Variable  Ciphertext  Known  Answer  Test  for  the  TECB  Mode  (Section 
5. 1.2.1). 

e.  Assign  a  new  value  to  Pi+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i+l=2,...,64. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  P,  i.e.,  64  times.  The  output  from  the  IUT 

should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values  found  in  Table  A.l. 
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5.1. 1.2  The  Inverse  Permutation  Known  Answer  Test  -  TECB  Mode 

Table  2  The  Inverse  Permutation  Known  Answer  Test  -  TECB  Mode 

TMOVS:  Initialize:  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0 1 0 1 0 1 0 1 0 1 010101  (odd  parity  set) 

Pi  (where  i=1..64)  =  64  C  values  from  the  Variable  Plaintext  Known 
Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  Pi,...,P64 

IUT:  FOR  i  =  1  to  64 

{ 

E  =  P, 

h  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1,  resulting  in 
TEMPI 

Perform 

Triple  DES:  TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C; 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  P;,  C* 

Pj+i  —  corresponding  ,  i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Should  be  the  set  of  basis  vectors. 

Table  2  illustrates  the  Inverse  Permutation  Known  Answer  Test  for  the  TECB  mode  of  operation. 
1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  plaintext  P;  (where  i=1..64)  to  the  Cj  results  obtained  from  the 
Variable  Plaintext  Known  Answer  Test. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  3. 
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2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Set  the  input  block  I;  equal  to  the  value  of  P,. 

b.  Process  I,  through  the  three  DEA  stages  resulting  in  ciphertext  Q.  This  involves 
processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state 
using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,  resulting 
in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage, 
denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  P,.  and  the  resulting  Q  to  the  TMOVS  as  specified  in  Output 
Type  1. 

d.  Assign  a  new  value  to  Pi+i  by  setting  it  equal  to  the  corresponding  output  from  the 
TMOVS. 

NOTE  —  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values.  The  C  values  should  be  the  set  of  basis  vectors. 
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5.1. 1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  - 
TECB  Mode 

Table  3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TECB 

Mode 

TMOVS:  Initialize  KEYs:  KEY1 ,  =  KEY2,  =  KEY3,  =  800 1010 101010101  (odd  parity  set) 

P=0000000000000000 

Send  KEY i (representing  KEYlb  KEY2U  KEY3i),  P 

IUT:  FOR  i  =  1  to  64 

{ 

IF  (i  %  8  ^  0)  {process  every  bit  except  parity  bits} 

{ 

I  =  P 

I  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,,  resulting  in 
TEMPI 

Perform 

Triple  DES:  TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in  TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  Cj 

Send  i,  KEY;  (representing  KEYlj,KEY2j,  and  KEY3j),  P,  Q 

KEYli+i  =KEY2i+i  =KEY3i+i  =  vector  consisting  of  "0"  in  every  significant  bit 
position  except  for  a  single  "1"  bit  in  position  i+1.  Each  parity  bit  may  have  the  value 
"l"  or  "0”  to  make  the  KEY  odd  parity. 

} 

} 

TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers. 

Use  Table  A.2. 

As  summarized  in  Table  3,  the  Variable  Key  Known  Answer  Test  for  the  TECB  Encryption 
Process  is  performed  as  follows: 

1.  The  TMOVS: 
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a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin= 
KEY2lbin=  KEY3ibin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  plaintext  P  to  the  value  of  0,  i.e.,  Phex  =  00  00  00  00  00  00  00 

00. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  1. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 


a.  Set  the  input  block  I  equal  to  the  value  of  P. 

b.  Using  the  corresponding  KEYli,  KEY2,,  and  KEY3;  parameters,  process  I  through 
the  three  DEA  stages  resulting  in  ciphertext  Cj.  This  involves  processing  I  through 
the  DEA  stage  DEAi  in  the  encrypt  state  using  KEYlj,  resulting  in  intermediate 
value  TEMPI.  TEMPI  is  fed  directly  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2,,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly 
into  the  DEA  stage  DEA3  in  the  encrypt  state  using  KEY3i,  resulting  in  ciphertext 
Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY  1 ,, 
KEY2j,  KEY3j),  P,  and  the  resulting  Cj  to  the  TMOVS  as  specified  in  Output 
Type  1. 

d.  If  the  IUT  supports  the  decryption  process,  retain  Cj  for  use  with  the  Variable  Key 
Known  Answer  Test  for  the  Decryption  Process  for  the  TECB  Mode  (Section 

5. 1.2.3). 

e.  Set  KEY li+i.,  KEY2i+i,,  and  KEY3i+i  equal  to  the  vector  consisting  of  ”0"  in  every 
significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1.  The  parity  bits 
may  contain  "1"  or  "0"  to  make  odd  parity. 

NOTE  —  The  above  processing  continues  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameter.  The 
output  from  the  IUT  for  this  test  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values  found  in  Table  A. 2. 
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5.1. 1.4  Permutation  Operation  Known  Answer  Test  for  the  Encryption 

Process  -  TECB  Mode 

Table  4  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  - 

TECB  Mode 

TMOVS:  Initialize  KEY1,  =  KEY2,  =  KEY3,  (where  i  =  l-32)=32  KEY  values  in 

Tabic  A. 3 

P  =  0000000000000000 

Send  P,  KEY i,  KEY2,...,KEY32  (Since  all  three  keys  are  the  same,  these 

key  values  represent  the  values  of  KEY1,  KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 

___ 

Perform  I  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,, 

Triple  DES:  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2i,  resulting  in  TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  Q 

Send  i,  KEY,  (representing  KEY1;,  KEY2„  KEY3;),  P,  C, 

KEYli+1  =  KEY2i+1  =  KEY31+i  =  KEYi+1  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A. 3. 

Table  4  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  TECB  Encryption 
Process. 

1.  The  TMOVS: 

a.  Initializes  the  KEY1,  KEY2,  and  KEY3  variables  with  the  32  constant  KEY  values 
from  Table  A. 3. 

b.  Initializes  the  plaintext  P  to  the  value  of  0,  i.e.,  Phex=00  00  00  00  00  00  00  00. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  7. 
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2.  The  IUT  should  perform  the  following  for  i  =  1  to  32: 

a.  Set  the  input  block  I  equal  to  the  value  of  P. 

b.  Using  the  corresponding  KEYlj,  KEY2,,  and  KEY3i  values,  process  I  through  the 
three  DEA  stages  resulting  in  ciphertext  Cj.  This  involves  processing  I  through  the 
DEA  stage  DEAi  in  the  encrypt  state  using  KEYlj,  resulting  in  intermediate  value 
TEMPI.  TEMPI  is  fed  directly  into  the  DEA  stage  DEA2  in  the  decrypt  state 
using  KEY2j,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into 
the  DEA  stage  DEA3  in  the  encrypt  state  using  KEY3j,  resulting  ciphertext  Cj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  KEY3),  P,  and  the  resulting  Cj  to  the  TMOVS  as  specified  in  Output  Type 

1. 

d.  If  the  IUT  supports  the  decryption  process,  retain  Cj  for  use  with  the  Permutation 
Operation  Known  Answer  Test  for  the  Decryption  Process  for  the  TECB  mode 
(Section  5. 1.2.4). 

e.  Set  KEY li+i,  KEY2i+i,  and  KEY3i+i  equal  to  the  next  key  supplied  by  the 
TMOVS. 

NOTE—  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values  found  in  Table  A. 3. 
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5.1. 1.5  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 
TECB  Mode 

Table  5  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 

TECB  Mode 

TMOVS:  Initialize  KEYI,  KEY2,  KEY3,  (where  i=l ..  19)  =  19  KEY  values  in 

Table  A.4 

P;  (where  i=  1 . .  1 9)  =  19  corresponding  P  values  in  Table  A.4 

Send  KEYi,  Pi,  KEY2,  P2,...,  KEYi9,  Pi9  (Since  all  three  keys  are 

the  same,  these  key  values  represent  the  values  of  KEY  1, 
KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  19 

{ 

Ii  =  Pi 

Perform  Triple  pis  read  into  TDEA  and  is  encrypted  by  DEAi  using 
DES:  KEYI;,  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in 

Ci 

Send  i,  KEY,  (representing  KEYli,KEY2„KEY31),  P„  C, 
KEYli+1  =  KEY21+1  =  KEY31+1  =  KEY1+1  from  TMOVS 
Pi+i  =  P1+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A.4. 

As  summarized  in  Table  5,  the  Substitution  Table  Known  Answer  Test  for  the  TECB  Encryption 
Process  is  performed  as  follows: 

1.  The  TMOVS: 
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a.  Initializes  the  KEY-plaintext  (KEY-P)  pairs  with  the  19  constant  KEY-P  values 
from  Table  A.4.  The  KEY  value  indicates  the  value  of  KEY1,  KEY2,  and  KEY3, 

i.e.,  KEY1=KEY2=KEY3. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  9. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  19: 

a.  Set  the  input  block  I,  equal  to  the  value  of  Pi. 

b.  Using  the  corresponding  KEYlj,KEY2j,  and  KEY3j  values,  process  E  through  the 
three  DEA  stages  resulting  in  ciphertext  C,.  This  involves  processing  I;  through  the 
first  DEA  stage,  denoted  DEA,,  in  the  encrypt  state  using  KEY1 ,,  resulting  in 
intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the  second  DEA  stage, 
denoted  DEA2,  in  the  decrypt  state  using  KEY2,,  resulting  in  intermediate  value 
TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3j,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  KEY3),  P,.  and  the  resulting  Q  to  the  TMOVS  as  specified  in  Output  Type 

1. 

d.  If  the  IUT  supports  the  decryption  process,  retain  Q  for  use  with  the  Substitution 
Table  Known  Answer  Test  for  the  Decryption  Process  for  the  TECB  mode 
(Section  5. 1.2.5). 

e.  Set  KEY li+i,  KEY2i+i,  and  KEY3j+i  equal  to  the  KEYi+i  supplied  by  the  TMOVS. 

f.  Set  Pi+]  equal  to  the  corresponding  Pi+i  value  supplied  by  the  TMOVS. 

NOTE—  The  above  processing  should  continue  until  all  19  KEY-P  pairs  are  processed.  The  output  from  the  IUT  for  this  test 

should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values  found  in  Table  A.4. 


55 


5.1. 1.6 


Monte  Carlo  Test  for  the  Encryption  Process  -  TECB  Mode 


Table  6  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TECB  Mode 

TMOVS:  Initialize  KEY10.  KEY2„,  KEY30,  P0 

Send  KEYlo,  KEY20,  KEY30,  Po 

IUT:  FOR  i  =  0  TO  399 

{ 

Record  i,  KEYlj,  KEY2„  KEY3„  P0 
FOR  j  =  0  TO  9,999 
{ 

Perform  Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 

Triple  DES:  KEY  1 ,,  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in 

Q 

PJ+1  =  Cj 

} 

Record  Cj 

Send  i,  KEY1„  KEY2j,  KEY3;,  P0,  Cj 
KEYli+i=  KEYlj  ®  Cj 

If  (KEYlj  and  KEY2,  are  independent  and  KEY3j  =  KEYlj)  or 
(KEYlj,  KEY2j,  and  KEY3j  are  independent), 

KEY2i+i=  KEY2;  ®  Cj_, 

else 

KEY2j+i=  KEY2;  ©  Q 
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If  (KEY1;  =KEY2,  =KEY3;)  or  (KEYlj  and  KEY2,  are 
independent  and  KEY3j  =  KEY  1 

KEY3j+i=  KEY3,  ©  Q 

else 

KEY3i+i=  KEY3,  ©  Cj_2 
Po  =  Cj 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  6,  the  Monte  Carlo  Test  for  the  TECB  Encryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  and  the  plaintext  P 
variables.  The  P  and  KEYs  consist  of  64  bits. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  20. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1 KEY2,.  KEY3i, 
and  Po. 

b.  Perform  the  following  for  j  =0  through  9999: 

1)  Set  the  input  block  I,  equal  to  the  value  of  P,. 

2)  Using  the  corresponding  KEY  1 KEY2,  and  KEY3i  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  ciphertext  Cj.  This  involves 
processing  I,  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  decrypt  state  using  KEY2,,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEA3  in  the  encrypt  state  using  KEY3i,  resulting  in  ciphertext  Cj. 

3)  Prepare  for  loop  j+1  by  assigning  PJ+i  with  the  current  value  of  Cj. 

c.  Record  Cj. 


57 


d.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  5,  to 
the  TMOVS. 

e.  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop.  Note  j=9999. 

The  new  KEYli+1  should  be  calculated  by  exclusive-ORing  the  current  KEY1 ,  with 
the  Cj. 

The  new  KEY2i+]  calculation  is  based  on  the  values  of  the  keys.  If  KEYli  and 
KEY2;  are  independent  and  KEY3i  =  KEY  1 ,,  or  KEY1 KEY2,,  and  KEY3i  are 
independent,  the  new  KEY2i+i  should  be  calculated  by  exclusive-ORing  the  current 
KEY2,  with  the  CH.  If  KEY li=KEY2i=KEY3i,  the  new  KEY21+1  should  be 
calculated  by  exclusive-ORing  the  current  KEY2,  with  the  Cj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If  KEYlj, 
KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3i  with  the  Cj_2.  If  KEYlj  and  KEY2,  are 
independent  and  KEY3;  =  KEYlj,  or  if  KEY1  ,=KEY2I=KEY3„  the  new  KEY3i+i 
should  be  calculated  by  exclusive-ORing  the  current  KEY3j  with  the  Cj. 

f.  Assign  a  new  value  to  P  in  preparation  for  the  next  output  loop.  Po  should  be 
assigned  the  value  of  the  current  Cj.  Note  j  =  9999. 

NOTE  —  the  new  P  should  be  denoted  as  Po  to  be  used  for  the  first  pass  through  the  inner  loop  when  j=0. 

NOTE—  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  5. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 
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5.1.2  Decryption  Process 

The  process  of  validating  an  IUT  which  implements  the  TECB  mode  of  operation  in  the 
decryption  process  should  involve  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Ciphertext  Known  Answer  Test  -  TECB  mode 

2.  The  Initial  Permutation  Known  Answer  Test  -  TECB  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process-  TECB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process-  TECB  mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  TECB  mode 

6.  The  Monte  Carlo  Test  for  the  Decryption  Process-  TECB  mode 
An  explanation  of  the  tests  follows. 
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5.1.2.1  The  Variable  Ciphertext  Known  Answer  Test  -  TECB  Mode 

Table  7  The  Variable  Ciphertext  Known  Answer  Tests  -  TECB  Mode 

TMOVS:  Initialize  KEYs:  KEY1=KEY2=KEY3=0101010101010101  (odd  parity  set) 

If  encryption  is  supported  by  IUT: 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3) 

If  encryption  is  not  supported  by  IUT: 

Initialize  C;  (where  i=1..64)  =  64  C  values  in  Table  A.l 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  Cu  C2,...,C64 

IUT:  If  encryption  is  supported  by  IUT: 

Initialize  Ci  =  first  value  from  output  of  Variable  Plaintext  Known  Answer 
Test. 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  64 

{ 

Ii  =  Q 

Perform 

Triple  DES:  I,  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEY1,  resulting  in  Pt 
Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  Q,  P, 

If  encryption  is  supported: 

Cj+i=  corresponding  Q+i  from  output  of  Variable  Plaintext  Known 
Answer  Test 

else 

Ci+i=  the  corresponding  Ci+i  value  from  TMOVS 
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} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Should  be  the  set  of  basis 

vectors. 


Table  7  illustrates  the  Variable  Ciphertext  Known  Answer  test  for  the  TECB  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEY  1  hex=KEY2|iex=KEY3hex=0 1  01 
010101010101. 

b.  If  the  IUT  does  not  support  encryption,  the  64  constant  ciphertext  values  from 
Table  A.l  are  initialized. 

c.  If  encryption  is  supported  by  the  IUT,  the  KEYs  are  forwarded  to  the  IUT  using 
Input  Type  4.  If  encryption  is  not  supported  by  the  IUT,  forward  the  KEYs  and  64 
C  values  to  the  IUT  using  Input  Type  3. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C  value  with  the  first  C  value  retained  from 
the  Variable  Plaintext  Known  Answer  Test  for  the  TECB  Mode  (Section  5. 1.1.1). 
Otherwise,  use  the  first  value  received  from  the  TMOVS. 

b.  Perform  the  following  for  i=l  through  64: 

1)  Set  the  input  block  I;  equal  to  the  value  of  Q. 

2)  Process  I;  through  the  three  DEA  stages  resulting  in  plaintext  P,.  This 
involves  processing  I;  through  the  DEA  stage  DEA3  in  the  decrypt  state 
using  KEY3,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the 
DEA  stage  DEAi  in  the  decrypt  state  using  KEY1,  resulting  plaintext  P,. 

3)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  1. 

4)  Retain  P,  for  use  with  the  Initial  Permutation  Known  Answer  Test  for  the 
TECB  Mode  (Section  5. 1.2.2). 

5)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  output  from 
the  Variable  Plaintext  Known  Answer  Test  for  the  TECB  mode.  If 
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encryption  is  not  supported,  assign  a  new  value  to  Ci+i  by  setting  it  equal  to 
the  corresponding  Ci+]  value  supplied  by  the  TMOVS. 


NOTE—  The  output  from  the  IUT  for  this  test  should  consist  of  64  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  P  results  should  be  the  set  of  basis  vectors. 


62 


5.1.2.2 


The  Initial  Permutation  Known  Answer  Test  -  TECB  Mode 


Table  8  Initial  Permutation  Known  Answer  Test  -  TECB  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity 

set) 

Cj  (where  i=1..64)=64  P  values  from  Variable  Ciphertext 
Known  Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  C,  ..  C64 

IUT:  FOR  i  =  1  to  64 

{ 

Ii  =  Q 

Perform 

Triple  DES:  I,  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 

resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2  ,  resulting  in  TEMP2 
TEMP2  is  decrypted  by  DEAi  using  KEY1,  resulting  in  P, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  Cj,  P; 

Ci+i=  corresponding  Ci+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

See  Table  A.l. 

Table  8  illustrates  the  Initial  Permutation  Known  Answer  Test  for  the  TECB  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

NOTE  —  the  significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "1"  to  make  odd  parity. 

b.  Initializes  the  64-bit  ciphertext  C,  (where  i=l,...,64)  to  the  P  results  obtained  from 
the  Variable  Ciphertext  Known  Answer  Test. 
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c.  Forwards  this  information  to  the  IUT  using  Input  Type  3. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Set  the  input  block  I,  equal  to  the  value  of  C,. 

b.  Process  f  through  the  three  DEA  stages  resulting  in  plaintext  P,.  This  involves 
processing  I,  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the  DEA  stage 
DEA2  in  the  encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP2. 
TEMP2  is  fed  directly  into  the  DEA  stage  DEAi  in  the  decrypt  state  using  KEY1, 
resulting  in  plaintext  P,. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  Cj,  and  the  resulting  Pi  to  the  TMOVS  as  specified  in  Output 
Type  1. 

d.  Set  Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE—  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 

in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values. 
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5.1.2.3 


The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  - 
TECB  Mode 


Table  9  The  Variable  Key  Known  Answer  Tests  for  the  Decryption  Process  -  TECB 

Mode 


TMOVS:  Initialize  KEYi:  KEYli  =  KEY2i  =  KEY3i  =  8001010101010101  (odd 

parity  set) 

If  encryption  is  supported  by  the  IUT: 

Send  KEYi  (representing  KEYli,  KEY2i,  and  KEY3i) 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Cj(where  i=l.. 56):  56  C  values  in  Table  A. 2 

Send  KEYt  (representing  KEYli,  KEY2i,  and  KEY3i),  Ci,  C2,...,C56 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Ci  =  first  value  from  output  of  Variable  Key  Known  Answer  Test 
for  the  Encryption  Process 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  64 

{ 

IF  (i  mod 

{ 

Perform 
Triple 
DES: 


Send  i,  KEY,  (representing  KEYI;,  KEY2,,  and  KEY3,),  C,, 

Pi 


8^0)  {process  every  bit  except  parity  bits} 


Ii  =  Ci 

I;  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3j  resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2;  resulting 
in  TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEYI;  resulting 
in  Pi 
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KEYli+i  =KEY2i+i  =KEY3j+i  =  vector  consisting  of  "0"  in 
every  significant  bit  position  except  for  a  single  "  1 "  bit  in 
position  i+1.  NOTE  —  odd  parity  is  set. 

If  encryption  is  supported  by  the  IUT: 

Ci+i=  corresponding  Q+i  from  output  of  Variable 
Key  Known  Answer  Test  for  the  Encryption 
Process 

else 

Ci+i=  corresponding  Ci+i  from  TMOVS 

} 

} 

TMOVS:  Compare  results  of  the  56  decryptions  with  known  answers. 

Should  be  P=0000000000000000  for  all  56  rounds. 


Table  9  illustrates  the  Variable  Key  Known  Answer  Test  for  the  TECB  Decryption  Process. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin= 
KEY2,  bin=  KEY3!  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "  1 "  to  get  odd  parity. 

b.  If  the  IUT  does  not  support  encryption,  the  Q  values  are  initialized  with  the  56 
constant  C  values  from  Table  A.2. 

c.  If  encryption  is  not  supported  by  the  IUT,  the  KEY  (representing  KEY1,  KEY2, 
KEY3),  and  the  56  C  values  are  forwarded  to  the  IUT  using  Input  Type  3. 
Otherwise,  the  KEY  (representing  KEY1,  KEY2,  and  KEY3)  is  forwarded  to  the 
IUT  using  Input  Type  4. 

2.  The  IUT  should: 
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a.  If  encryption  is  supported,  initialize  the  C  value  with  the  first  C  value  retained  from 

the  Variable  KEY  Known  Answer  Test  for  the  Encryption  Process  for  the  TECB 

Mode  (Section  5. 1.1.3).  Otherwise,  use  the  first  value  received  from  the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  56: 

NOTE  -  56  is  the  number  of  significant  bits  in  a  TDES  key. 

1)  Set  the  input  block  I,  equal  to  the  value  of  Cj. 

2)  Using  the  corresponding  KEY U,  KEY2j,  and  KEY3j  parameters,  process  I, 
through  the  three  DEA  stages  resulting  in  plaintext  P,.  This  involves 
processing  I;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2,,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEAi  in  the  decrypt  state  using  KEY1 ,,  resulting  in  plaintext  P;. 

3)  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing 
KEYli,  KEY2j,  and  KEY3;),  Cj,  and  the  resulting  P;  to  the  TMOVS  as 
specified  in  Output  Type  1. 

4)  Set  KEYlj+i,,  KEY2i+i,,  and  KEY3i+i.,  equal  to  the  vector  consisting  of  "0" 
in  every  significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 
The  parity  bits  may  contain  "1"  or  "0"  to  make  odd  parity. 

NOTE  -  KEY  1  i+1  =  KEY2.+1  =  KEY3,+i. 

5)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  Ci+i  value 
retained  from  the  Variable  Key  Known  Answer  Test  for  the  Encryption 
Process  for  TECB  mode.  If  encryption  is  not  supported  by  the  IUT,  set 
Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  56  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  P  results  should  be  all  zeros. 
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5.1.2.4  Permutation  Operation  Known  Answer  Test  for  Decryption  Process  - 

TECB  Mode 

Table  10  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  - 

TECB  Mode 

TMOVS:  Initialize  KEYI ,  =KEY2,  =KEY3,  =(  where  i=1..32j  =  32  KEY  values  in  Table  A.3 

If  encryption  is  supported  by  the  IUT: 

Send  KEYi,  KEY2,...,  KEY32  (Since  all  three  keys  are  the  same,  these 
key  values  represent  the  values  of  KEYI,  KEY2,  and  KEY3.) 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Q  (where  i=1..32)  =  corresponding  C  values  in  Table  3 

Send  KEYi,  Ci,  KEY2,  C2,...,KEY32,  C32  (The  key  values  represent  the 
values  of  KEYI,  KEY2,  and  KEY3.) 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Q  =  first  value  retained  from  Permutation  Operation  Known 
Answer  Test  for  the  Encryption  Process 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  32 

{ 

Ii  =  Q 

Perform 

Triple  DES:  I,  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 

KEY3i,  resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEY  1;,  resulting  in 

Pi 

Send  i,  KEYj  (representing  KEYI;,  KEY2,,  and  KEY3j),  Q, 

Pi 

KEY  li+1  =  KEY21+1  =  KEY3i+,  =  corresponding  KEY1+1 
supplied  by  TMOVS 
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If  encryption  is  supported: 

Ci+i  =  corresponding  Ci+i  from  output  of 
Permutation  Operation  Known  Answer  Test  for  the 
Encryption  Process 

else 

Ci+i  =  corresponding  Ci+i  from  TMOVS 


} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Should  be  P=0000000000000000  for  all  32  rounds. 


Table  10  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  TECB  Decryption 
Process. 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY1,  KEY2,  and  KEY3  variables  are 
initialized  with  the  32  constant  KEY  values  from  Table  A. 3.  If  the  IUT  does  not 
support  encryption,  the  KEY-ciphertext  (KEY-C)  pairs  are  initialized  with  the  32 
constant  KEY-C  pairs  from  Table  A. 3. 

NOTE  -  KEY  1  =KE Y 2=KE  Y  3 . 

b.  If  encryption  is  supported  by  the  IUT,  the  32  KEY  values  for  KEY1,  KEY2,  and 
KEY3  are  forwarded  using  Input  Type  10.  If  encryption  is  not  supported  by  the 
IUT,  the  32  KEY-C  pairs  are  forwarded  to  the  IUT  using  Input  Type  9. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C  value  with  the  first  C  value  retained  from 
the  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  for  the 
TECB  Mode  (Section  5. 1.1. 4).  Otherwise,  use  the  first  value  received  from  the 
TMOVS. 

b.  Perform  the  following  for  i  =  1  to  32: 

1)  Set  the  input  block  I,  equal  to  the  value  of  Q. 

2)  Using  the  corresponding  KEY  1  |.KEY2,,  and  KEY3i  values,  process  I; 
through  the  three  DEA  stages  resulting  in  plaintext  P,.  This  involves 
processing  f  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
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KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2,,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEA!  in  the  decrypt  state  using  KEY  1 ,,  resulting  in  plaintext  P,. 

3)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  1. 

4)  Assign  a  new  value  to  KEYli+i,  KEY2i+i,  and  KEY3j+i  by  setting  them 
equal  to  the  corresponding  KEYi+i  value  supplied  by  the  TMOVS. 

NOTE  -  KEY  1  =KE Y 2=KE Y  3 . 

5)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  Ci+i  value 
retained  from  the  Permutation  Operation  Known  Answer  Test  for  the 
Encryption  Process  for  the  TECB  mode.  If  encryption  is  not  supported,  set 
Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE—  The  above  processing  should  continue  until  all  32  KEY-C  values  are  passed  as  specified  in  Input  Type  9,  or  all  32 

KEY  values  are  passed  as  specified  in  Input  Type  10.  The  output  from  the  IUT  for  this  test  should  consist  of  32  output  strings. 

Each  output  string  should  consist  of  information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  P  results  should  be  all  zeros. 
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5.1.2.5  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 
TECB  Mode 

Table  11  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 

TECB  Mode 

TMOVS:  Initialize  KEYI,  =  KEY2,  =  KEY3,  (where  i=1..19)  =  19  KEY  values  in  Table  A.4 

If  encryption  is  supported  by  the  IUT: 

Send  KEYi,  KEY2,...,KEY i9  (Since  all  three  keys  are  the  same,  these  key 
values  represent  the  values  of  KEYI,  KEY2,  and  KEY3.) 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Cj  (where  i=  1 . .  1 9)  =  corresponding  C  values  in  Table  A.4 

Send  KEYi,  Ci,  KEY2,  C2,...,KEYi9,  Ci9(The  key  values  represent  the  values 
of  KEYI,  KEY2  and  KEY3.) 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Ci  =  first  value  retained  from  the  Substitution  Table  Known  Answer 
Test  for  the  Encryption  Process 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  19 

{ 

I;  =  Ci 

Perform 

Triple  DES:  I,  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 

resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,,  resulting  in  TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEYI;,  resulting  in  P; 

Send  i,  KEY,,  Cj,  P,  (where  KEY,  represents  the  value  of  KEYI,  KEY2 
and  KEY3) 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  corresponding  KEYi+i  supplied  by 
TMOVS 

If  encryption  is  supported: 
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Ci+i  =  corresponding  Ci+i  from  output  of  Substitution  Table  Known 
Answer  Test  for  the  Encryption  Process  for  the  TECB  mode 

else 

Cj+i  =  corresponding  Ci+i  from  TMOVS 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  See  Table  A. 4. 


As  summarized  in  Table  11,  the  Substitution  Table  Known  Answer  Test  for  the  TECB  Decryption 

Process  is  performed  as  follows: 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY1,  KEY2,  and  KEY3  variables  are 
initialized  with  the  19  constant  KEY  values  from  Table  A.4.  If  the  IUT  does  not 
support  encryption,  the  KEY-ciphertext  (KEY-C)  pairs  are  initialized  with  the  19 
constant  KEY-C  pairs  from  Table  A. 4. 

NOTE  -  KEY  1  =KE Y 2=KE Y  3 . 

b.  If  encryption  is  supported  by  the  IUT,  the  19  KEY  values  for  KEY1,  KEY2,  and 
KEY3  are  forwarded  to  the  IUT  using  Input  Type  10.  The  19  KEY-C  pairs  are 
forwarded  to  the  IUT  using  Input  Type  9  if  encryption  is  not  supported  by  the 
IUT. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C,  value  with  the  first  C  value  retained 
from  the  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  for 
the  TECB  Mode  (Section  5. 1.1.5).  Otherwise,  use  the  first  C  value  received  from 
the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  19: 

1)  Set  the  input  block  I*  equal  to  the  value  of  Q. 

2)  Using  the  corresponding  KEY U,  KEY2i,  and  KEY3i  values,  process  I; 
through  the  three  DEA  stages  resulting  in  plaintext  P;.  This  involves 
processing  I;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2i?  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEAi  in  the  decrypt  state  using  KEY  1 ,,  resulting  in  plaintext  P,. 
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3)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  1. 

4)  Set  KEYlj+i,  KEY2i+j,  and  KEY3i+i  equal  to  the  next  key  supplied  by  the 
TMOVS. 

5)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  Ci+i  value 
retained  from  the  Substitution  Table  Known  Answer  Test  for  the 
Encryption  Process  for  the  TECB  mode.  If  encryption  is  not  supported,  set 
Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —The  above  processing  should  continue  until  all  19  KEY-C  pairs,  as  specified  in  Input  Type  9,  or  all  19  KEY  values,  as 
specified  in  Input  Type  10,  are  processed.  The  output  from  the  IUT  for  this  test  should  consist  of  19  output  strings.  Each  output 
string  should  consist  of  information  included  in  Output  Type  1. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 
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5.1.2.6 


Monte  Carlo  Test  for  the  Decryption  Process  -  TECB  Mode 


Table  12  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TECB  Mode 

TMOVS:  Initialize  KEY10,  KEY20,  KEY30,  C0 

Send  KEYlo,  KEY20,  KEY30,  C0 

IUT:  FOR  i  =  0  TO  399 

{ 

Record  i,  KEY1;,  KEY2„  KEY3;,  C0 
FOR  j  =  0  TO  9,999 
{ 

Process 

Triple  DES:  Ij  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3j,  resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEY1 ,,  resulting  in 

P.i 

Q+i  =  Pj 

} 

Record  P, 

Send  i,  KEYlj,  KEY2„  KEY3„  C0,  Pj 
KEYli+1=  KEYlj  ©  Pj 

If  (KEY  1  j  and  KEY2,  are  independent  and  KEY3,  =  KEY  10  or  (KEY1 ,, 
KEY2j,  and  KEY3j  are  independent), 

KEY21+1=  KEY2,  ©  Pj_, 

else 

KEY21+1=  KEY2,  ©  Pj 
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If  (KEYli  =KEY2i  =KEY3j)  or  (KEYlj  and  KEY2,  are  independent  and 
KEY3;  =  KEY10, 

KEY3i+i=  KEY3j  ©  P, 

else 

KEY3i+i=  KEY3,  ©  Pj_2 
Co  =  Pj 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  12,  the  Monte  Carlo  Test  for  the  TECB  Decryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  and  the  ciphertext  C 
variables.  The  C  and  KEYs  consist  of  64  bits. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  20. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1;,  KEY2,.  KEY3j, 
and  C0. 

b.  Perform  the  following  for  j  =0  through  9999: 

1)  Set  the  input  block  Ij  equal  to  the  value  of  C,. 

2)  Using  the  corresponding  KEY  1  ,.KEY2,,  and  KEY3i  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  plaintext  Pj.  This  involves 
processing  Ij  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2,,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEAi  in  the  decrypt  state  using  KEY1 ,,  resulting  in  plaintext  Pj. 

3)  Prepare  for  loop  j+1  by  assigning  CJ+i  with  the  current  value  of  Pj. 

c.  Record  Pj. 
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d.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  5,  to 
the  TMOVS. 

e.  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop.  Note  j  =  9999. 

The  new  KEYli+1  should  be  calculated  by  exclusive-ORing  the  current  KEY1 ,  with 
the  Pj. 

The  new  KEY2i+]  calculation  is  based  on  the  values  of  the  keys.  .  If  KEYlj  and 
KEY2;  are  independent  and  KEYS,  =  KEYlj,  or  KEYlj,  KEY2j,  and  KEY3j  are 
independent,  the  new  KEY2i+i  should  be  calculated  by  exclusive-ORing  the  current 
KEY2;  with  the  PH.  If  KEYli=KEY2i=KEY31,  the  new  KEY2i+1  should  be 
calculated  by  exclusive-ORing  the  current  KEY2,  with  the  Pj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If  KEYlj, 
KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  Pj_2.  If  KEY lj  and  KEY2j  are 
independent  and  KEY3;  =  KEYlj,  or  if  KEY  1  ;=KEY 2j=KEY 3;,  the  new  KEY3i+i 
should  be  calculated  by  exclusive-ORing  the  current  KEY3j  with  the  Pj. 

f.  Assign  a  new  value  to  C  in  preparation  for  the  next  output  loop.  Co  should  be 
assigned  the  value  of  the  current  Pj.  Note  j  =  9999. 

NOTE  —  the  new  C  should  be  denoted  as  Co  to  be  used  for  the  first  pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  5. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 


76 


5.2  Cipher  Block  Chaining  (TCBC)  Mode 

The  IUTs  which  implement  the  Cipher  Block  Chaining  (TCBC)  mode  are  validated  by 
successfully  completing  a  series  of  Known  Answer  tests  and  Monte  Carlo  tests  corresponding  to 
the  cryptographic  processes  allowed  by  the  IUT. 

5.2.1  Encryption  Process 

The  process  of  validating  an  IUT  which  implements  the  TCBC  mode  of  operation  in  the 
encryption  process  should  involve  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Plaintext  Known  Answer  Test  -  TCBC  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  TCBC  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TCBC  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  TCBC 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  TCBC  mode 

6.  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC  mode 
An  explanation  of  the  tests  follows. 
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5.2.1. 1  The  Variable  Plaintext  Known  Answer  Test  -  TCBC  Mode 

Table  13  The  Variable  Plaintext  Known  Answer  Test  -  TCBC  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0 1010 1 0 1 0 1 0 1 0 1 0 1  (odd  parity 

set) 

IV  =  0000000000000000 
Pi  =  8000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  Pj 

IUT:  FOR  i  =  1  to  64 

{ 

Perform  I,=  P,  ©  IV 
Triple 

DES:  P  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 

resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  Cj 
Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  P„  C, 

Pi+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  See  Table  A.  1. 

Table  13  illustrates  the  Variable  Plaintext  Known  Answer  Test  for  the  TCBC  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEY  1  hex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 
00  00  00  00  00  00  00  00. 
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c.  Initializes  the  64-bit  plaintext  Pi  to  the  basis  vector  containing  a"l"  in  the  first  bit 
position  and  "0"  in  the  following  63  positions,  i.e.,  Pi  bin  =  10000000  00000000 
00000000  00000000  00000000  00000000  00000000  00000000.  The  equivalent  of 
this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Calculate  the  input  block  I,  by  exclusive-ORing  P,  with  IV. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  ciphertext  C,.  This  involves 
processing  f  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state 
using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,  resulting 
in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage, 
denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  Pi,  and  the  resulting  Q  to  the  TMOVS  as  specified  in 
Output  Type  2. 

d.  Retain  C;  for  use  with  the  Inverse  Permutation  Known  Answer  Test  for  the  TCBC 
Mode  (Section  5. 2. 1.2  ),  and,  if  the  IUT  supports  the  decryption  process,  for  use 
with  the  Variable  Ciphertext  Known  Answer  Test  for  the  TCBC  Mode  (Section 
5.2.2. 1). 

e.  Assign  a  new  value  to  Pi+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i  +1=2,... ,64. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  P,  i.e.,  64  times.  The  output  from  the  IUT 

should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.l. 
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5.2. 1.2 


The  Inverse  Permutation  Known  Answer  -  TCBC  Mode 


Table  14  The  Inverse  Permutation  Known  Answer  Test  -  TCBC  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0 1010 1 0 1 0 1 0 1 0 1 0 1  (odd  parity 

set) 

IV  =  0000000000000000 

Pi  (where  i=1..64)  =  64  C  values  from  the  Variable  Plaintext 
Known  Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  Pi,...,P64 

IUT:  FOR  i  =  1  to  64 

{ 

Perform 
Triple 
DES: 

Send  i,  KEY  (representing  KEY1,  KEY2,  KEY3),  IV,  P„  C, 

Pi+i  =  corresponding  Ci+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Should  be  the  set  of  basis  vectors. 

Table  14  illustrates  the  Inverse  Permutation  Known  Answer  Test  for  the  TCBC  mode  of 
operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 

hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

NOTE  —  the  significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "1"  to  make  odd  parity. 


Ii=  Pi  ©  IV 

Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C, 
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b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  64-bit  plaintext  P;  (where  i=1..64)  to  the  Q  results  obtained  from  the 
Variable  Plaintext  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  5. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Calculate  the  input  block  I,  by  exclusive-ORing  P,  with  IV. 

b.  Process  f  through  the  three  DEA  stages  resulting  in  ciphertext  C,.  This  involves 
processing  I,  through  the  first  DEA  stage,  denoted  DEA,.  in  the  encrypt  state 
using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,  resulting 
in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage, 
denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  Pi,  and  the  resulting  Q  to  the  TMOVS  as  specified  in 
Output  Type  2. 

d.  Assign  a  new  value  to  Pi+i  by  setting  it  equal  to  the  corresponding  output  from  the 
TMOVS. 

NOTE  —  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 

in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

known  values.  The  C  values  should  be  the  set  of  basis  vectors. 
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5.2.1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  - 
TCBC  Mode 

Table  15  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TCBC 

Mode 

TMOVS:  Initialize  KEY!:  KEY  1 ,  =  KEY2,  =  KEY3,  =  800 10101010101 01  (odd 

parity  set) 

IV  =0000000000000000 
P  =  0000000000000000 

Send  KEYi  (representing  KEYli,  KEY2ls  and  KEY30,  IV,  P 

IUT:  FOR  i  =  1  to  64 

{ 

IF  (i  mod  8^0)  {process  every  bit  except  parity  bits} 

{ 

Ii  =  P  ©  IV 

Perform 

Triple  DES:  Ii  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEY lj,  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in 

Q 

Send  i,  KEY,  (representing  KEYli,  KEY2„  and  KEY3;),  IV,  P, 

Ci 

KEYlj+i  =  KEY2i+i  =  KEY3i+i  =  vector  consisting  of  "0"  in 
every  significant  bit  position  except  for  a  single  "  1 "  bit  in 
position  i+1. 

NOTE  —  that  parity  bits  are  "0"  or  "1"  to  make  the  KEYs  odd  parity. 

} 

} 

TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers. 
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Use  Table  A.2. 


As  summarized  in  Table  15,  the  Variable  Key  Known  Answer  Test  for  the  TCBC  Encryption 
Process  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYU,  KEY2i,  and  KEY3i  to  contain  "0" 
in  every  significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit 
KEY1,  bin=  KEY2,  bin=  KEY3i  bin=  10000000  00000001  00000001 
00000001  00000001  00000001  00000001  00000001.  The  equivalent  of  this 
value  in  hexadecimal  notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  64-bit  plaintext  P  to  the  value  of  0,  i.e.,  Phcx  =  00  00  00  00  00  00  00 

00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 


a.  Calculate  the  input  block  I;  by  exclusive-ORing  P  with  IV. 

b.  Using  the  corresponding  KEY  1 ,,  KEY2j,  and  KEY3j  parameters,  process  I, 
through  the  three  DEA  stages  resulting  in  ciphertext  Q.  This  involves  processing  I, 
through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state  using  KEYli? 
resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the  second 
DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage, 
denoted  DEA3,  in  the  encrypt  state  using  KEY3,,  resulting  in  ciphertext  Q. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY  1;, 
KEY2j,  and  KEY3j,),  IV,  P,  and  the  resulting  Cj  to  the  TMOVS  as  specified  in 
Output  Type  2. 

d.  If  the  IUT  supports  the  decryption  process,  retain  Q  for  use  with  the  Variable 
KEY  Known  Answer  Test  for  the  Decryption  Process  for  the  TCBC  Mode 
(Section  5. 2. 2. 3). 
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e. 


Set  KEYlj+i,,  KEY2i+i,,  and  KEY3i+i,,  equal  to  the  vector  consisting  of  "0"  in 
every  significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1.  The  parity 
bits  may  contain  "1"  or  "0"  to  make  odd  parity. 


NOTE  —  The  above  processing  continues  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameter.  The 
output  from  the  IUT  for  this  test  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A. 2. 
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5.2.1.4  Permutation  Operation  Known  Answer  Test  for  the  Encryption 

Process  -  TCBC  Mode 

Table  16  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC  Mode 

TMOVS:  Initialize  KEYI ,  =  KEY2,  =  KEY3,  (where  i=1..32)  =  32  KEY  values  in 

Table  A. 3 

IV  =  0000000000000000 
P  =  0000000000000000 

Send  P,  IV,  KEYi,  KEY2,...,KEY32  (Since  all  three  keys  are  the  same, 

these  key  values  represent  the  values  of  KEYI,  KEY2  and  KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 

Perform 
Triple  DES: 


Send  i,  KEY,  (representing  KEYI;,  KEY2„  and  KEY3,),  IV,  P,  C, 
KEYli+i  =  KEY2i+]  =  KEY3i+i  =  KEYi+1  from  TMOVS 

} 

TMOVS:  Compare  results  with  known  answers.  Use  Table  A. 3. 


Ii  =  P  ®  IV 

I;  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYlj,  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,.  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  Ci 


Table  16  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  TCBC  Encryption 
Process. 

1.  The  TMOVS: 

a.  Initializes  the  KEYI,  KEY2,  and  KEY3  variables  with  the  32  constant  KEY  values 
from  Table  A. 3. 
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b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  plaintext  P  to  the  value  of  0,  i.e.,  Phex=00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  8. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  32: 

a.  Calculate  the  input  block  I;  by  exclusive-ORing  P  with  IV. 

b.  Using  the  corresponding  KEYlj,  KEY2j,  and  KEY3i  values,  process  I,  through  the 
three  DEA  stages  resulting  in  ciphertext  Q.  This  involves  processing  I,  through  the 
first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state  using  KEYlj,  resulting  in 
intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the  second  DEA  stage, 
denoted  DEA2,  in  the  decrypt  state  using  KEY2j,  resulting  in  intermediate  value 
TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3i,  resulting  in  ciphertext  Cj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  P,  and  the  resulting  Q  to  the  TMOVS  as  specified  in 
Output  Type  2. 

d.  If  the  IUT  supports  the  decryption  process,  retain  C;  for  use  with  the  Permutation 
Operation  Known  Answer  Test  for  the  Decryption  Process  for  the  TCBC  mode 
(Section  5. 2. 2. 4). 

e.  Set  KEY li+i,  KEY2i+i,  and  KEY3j+i  equal  to  the  next  key  supplied  by  the 
TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 

should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A. 3. 
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5.2.1.5  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC  Mode 

Table  17  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC  Mode 

TMOVS:  Initialize  KEY1 ,  =  KEY2,  =  KEY3,(where  i=1..19)  =  19  KEY  values  in  Tabic 

A.4 

Pi  (where  i=  1 . .  1 9)  =  19  corresponding  P  values  in  Table  A.4 
IV  =  0000000000000000 

Send  IV,  19,  KEY i,  Pi,  KEY2,  P?,...,KEY i9,  Pi9  (Since  all  three  keys  are  the 

same,  these  key  values  represent  the  values  of  KEY1,  KEY2  and 
KEY3.) 

IUT:  FOR  i  =  1  to  19 

{ 

Ii  =  Pi  ®  IV 

Perform 

Triple  DES:  Ii  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY lj, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  C; 

Send  i,  KEY,  (representing  KEYlj,  KEY2„  and  KEY3,),  IV,  P„  C, 
KEYli+i  =  KEY21+1  =  KEY31+i  =  KEY1+i  from  TMOVS 
Pi+i  —  corresponding  Pi+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A.4. 


As  summarized  in  Table  17,  the  Substitution  Table  Known  Answer  Test  for  the  TCBC  Encryption 
Process  is  performed  as  follows: 

1.  The  TMOVS: 
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a.  Initializes  the  KEY-plaintext  (KEY-P)  pairs  with  the  19  constant  KEY-P  values 
from  Table  A.4.  The  KEY  value  indicates  the  value  of  KEY1,  KEY2,  and  KEY3, 

i.e.,  KEY1=KEY2=KEY3. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  11. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  19: 

a.  Calculate  the  input  block  I,  by  exclusive-ORing  P,  with  IV. 

b.  Using  the  corresponding  KEY1,,  KEY2,.  and  KEY3i  values,  process  I,  through  the 
three  DEA  stages  resulting  in  ciphertext  Cj.  This  involves  processing  I,  through  the 
first  DEA  stage,  denoted  DEAi,  in  the  encrypt  state  using  KEY1 ,,  resulting  in 
intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the  second  DEA  stage, 
denoted  DEA2,  in  the  decrypt  state  using  KEY2,,  resulting  in  intermediate  value 
TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3i,  resulting  in  ciphertext  Cj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  P,.  and  the  resulting  Cj  to  the  TMOVS  as  specified  in 
Output  Type  2. 

d.  If  the  IUT  supports  the  decryption  process,  retain  Cj  for  use  with  the  Substitution 
Table  Known  Answer  Test  for  the  Decryption  Process  for  the  TCBC  mode 
(Section  5. 2. 2. 5). 

e.  Set  KEY li+i,  KEY2i+i,  and  KEY3i+i  equal  to  the  KEYi+i  supplied  by  the  TMOVS. 

f.  Set  Pj+i  equal  to  the  corresponding  Pj+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-P  pairs  are  processed.  The  output  from  the  IUT  for  this  test 

should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.4. 
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5.2.1.6 


Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC  Mode 


Table  18  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC  Mode 

TMOVS:  Initialize  KEY10.  KEY2„,  KEY30,  IV.  P0 

Send  KEYlo,  KEY20,  KEY30,  IV,  P0 

IUT:  FOR  i  =  0  TO  399 

{ 

If  (i==0)  CVo  =  IV 

Record  i,  KEYli,  KEY2„  KEY3j,  CV0,  P0 
FOR  j  =  0  TO  9,999 
{ 

Ij  =  Pj  ©  CVj 

Process 

Triple  DES:  Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYli,  resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in 

Q 

IF  j=0 

Pj+i  =  CVo 
ELSE 

Pj+i  =  Cj-i 
CVJ+1  =  Cj 

} 

Record  Cj 

Send  i,  KEYli,  KEY2j,  KEY3;,  CV0,  P0,  Cj 
KEYli+1  =  KEYli  ©  Q 


IF  (KEYlj  and  KEY2,  are  independent  and  KEYS,  =  KEY1;)  or  (KEY1;, 
KEY2,.  and  KEY3i  are  independent) 

KEY21+i=  KEY2;  ®  CH 

ELSE 

KEY21+i=  KEY2;  ®  Q 

IF  (KEY1;=  KEY2i=  KEY3i)  or  (KEY1,  and  KEY2,  are  independent  and 
KEY3;  =  KEY10 

KEY3i+i=  KEY3;  ©  Q 

ELSE 

KEY3i+i=  KEY3;  ©  Cj_2 
Po  =  Cj-i 

CVo  =  Q 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  18,  the  Monte  Carlo  Test  for  the  TCBC  Encryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vector 
IV,  and  the  plaintext  P  variables.  The  P,  IV,  and  KEYs  consist  of  64  bits  each. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  21. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CV0  equal 
to  the  IV. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1*,  KEY2,.  KEY3j, 
CV0,  and  P0. 

c.  Perform  the  following  for  j  =  0  through  9999: 
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1)  Calculate  the  input  block  I,  by  exclusive-ORing  Pj  with  CV,. 

2)  Using  the  corresponding  KEYlj,KEY2j,  and  KEY3j  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  ciphertext  Cj.  This  involves 
processing  Ij  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed 
directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the  encrypt  state  using 
KEY3j,  resulting  in  ciphertext  Cj. 

3)  Prepare  for  loop  j+1  by  doing  the  following: 

a)  If  the  inner  loop  being  processed  in  the  first  loop,  i.e.,  j=0,  assign 
PJ+i  with  the  current  value  of  CV0.  Otherwise,  assign  PJ+i  with  the  C 
from  the  previous  inner  cycle,  Cj_i. 

b)  Assign  CVj+i  with  the  current  value  of  Cj. 

d.  Record  the  Cj. 

e.  Forward  all  recorded  information  from  this  loop,  as  specified  in  Output  Type  6,  to 
the  TMOVS. 

f.  In  preparation  for  the  next  outer  loop  (Note  j  =  9999): 

1)  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop. 

The  new  KEYli+i  should  be  calculated  by  exclusive-ORing  the  current 
KEYlj  with  the  Cj. 

The  new  KEY2i+i  calculation  is  based  on  the  values  of  the  keys.  If  KEYlj 
and  KEY2;  are  independent  and  KEY3,  =  KEYlj,  or  KEYlj,  KEY2j,  and 
KEY3j  are  independent,  the  new  KEY2j+]  should  be  calculated  by 
exclusive-ORing  the  current  KEY2j  with  the  Cj_i .  If 
KEYli=KEY2j=KEY3j,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2j  with  the  Cj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If 
KEYlj,  KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be 
calculated  by  exclusive-ORing  the  current  KEY3j  with  the  Cj_2.  If  KEYlj 
and  KEY2;  are  independent  and  KEY3;  =  KEYlj,  or  if 
KEYli=KEY2j=KEY3j,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  Cj. 
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2)  Assign  a  new  value  to  P0  in  preparation  for  the  next  output  loop.  P0  should 
be  assigned  the  value  of  Cj_i. 

NOTE  —  the  new  P  should  be  denoted  as  Po  to  be  used  for  the  first  pass  through  the  inner  loop 
when  j=0. 

3)  Assign  a  new  value  to  CVo  in  preparation  for  the  next  outer  loop.  CVo 
should  be  assigned  the  value  of  Cj. 

NOTE  —  the  new  CV  should  be  denoted  as  CVo  because  this  value  is  used  for  the  first  pass 
through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  6. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5.2.2  Decryption  Process 

The  process  of  validating  an  IUT  for  the  TCBC  mode  which  implements  the  decryption  process 
involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Ciphertext  Known  Answer  Test  -  TCBC  mode 

2.  The  Initial  Permutation  Known  Answer  Test  -  TCBC  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  TCBC  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  -  TCBC 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  TCBC  mode 

6.  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC  mode 
An  explanation  of  the  tests  follows. 
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5.2.2. 1 


The  Variable  Ciphertext  Known  Answer  Test  -  TCBC  Mode 


Table  19  The  Variable  Ciphertext  Known  Answer  Test  -  TCBC  Mode 


TMOVS:  Initialize  KEYs:  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd 

parity  set) 

IV  =  0000000000000000 
If  encryption  is  supported  by  the  IUT: 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Q  (where  i=1..64)  =  C  values  in  Table  A.l 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  Cu  C2,...,C64 

IUT:  If  encryption  is  supported 

Initialize  Ci=  first  value  from  output  of  Variable  Plaintext  Known  Answer 
Test. 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  64 

{ 


Perform 

Triple 

DES: 


Ci+i  =  corresponding  Ci+i  from  output  of  Variable  Plaintext  Known 
Answer  Test 


Ii  =  Ci 

h  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  decrypted  by  DEAi  using  KEY1,  resulting  in  O; 

P,  =  O,  ®  IV 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  C„  P, 
If  encryption  is  supported: 
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else 


Ci+i  =  corresponding  Ci+i  value  from  TMOVS 


} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Should  be  the  set  of  basis 

vectors. 


Table  19  illustrates  the  Variable  Ciphertext  Known  Answer  Test  for  the  TCBC  mode  of 
operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  If  the  IUT  does  not  support  encryption,  the  64  constant  ciphertext  values  are 
initialized  with  the  64  constant  C  values  from  Table  A.l. 

d.  If  encryption  is  supported  by  the  IUT,  the  KEYs  and  the  IV  are  forwarded  to  the 
IUT,  as  specified  in  Input  Type  6.  If  encryption  is  not  supported  by  the  IUT,  the 
KEYs,  the  IV,  and  64  C  values  are  forwarded  to  the  IUT  using  Input  Type  5. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C  value  with  the  first  C  value  retained  from 
the  Variable  Plaintext  Known  Answer  Test  for  the  TCBC  Mode  (Section  5.2. 1.1). 
Otherwise,  use  the  first  value  received  from  the  TMOVS. 

b.  Perform  the  following  for  i=l  through  64: 

1)  Set  the  input  block  I;  equal  to  the  value  of  Q. 

2)  Process  I,  through  the  three  DEA  stages  resulting  in  the  output  block  O,. 
This  involves  processing  f  through  the  DEA  stage  DEA3,  in  the  decrypt 
state  using  KEY3,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  DEA  stage  DEA2,  in  the  encrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the 
DEA  stage  DEAi,  in  the  decrypt  state  using  KEY1,  resulting  in  output 
block  O;. 
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3) 


Calculate  the  plaintext  P;  by  exclusive-ORing  O,  with  IV. 


4)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  IV,  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  2. 

5)  Retain  P,  for  use  with  the  Initial  Permutation  Known  Answer  Test  for  the 
TCBC  Mode  (Section  5. 2.2.2). 

6)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  output  from 
the  Variable  Plaintext  Known  Answer  Test  for  the  TCBC  mode.  If 
encryption  is  not  supported,  assign  a  new  value  to  Ci+i  by  setting  it  equal  to 
the  corresponding  Q+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  64  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values.  The  P  results  should  be  the  set  of  basis  vectors. 
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5. 2. 2. 2  The  Initial  Permutation  Known  Answer  Test  -  TCBC  Mode 

Table  20  The  Initial  Permutation  Known  Answer  Test  -  TCBC  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity 

set) 

IV  =  0000000000000000 

Cj  (where  i=1..64)  =  64  P  values  from  Variable  Ciphertext  Known 
Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  Ci..C64 

IUT:  FOR  i  =  1  to  64 

{ 

Perform 
Triple 
DES: 


Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  Q,  P, 

Ci+i  =  corresponding  Ci+i  value  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Table  20  illustrates  the  Initial  Permutation  Known  Answer  Test  for  the  TCBC  mode  of  operation. 
1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 

hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 
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b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c  Initializes  the  64  C  values  with  the  64  P  values  obtained  from  the  Variable 
Ciphertext  Known  Answer  Test. 

d.  Forwards  the  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,  and  the  64  C 
values  to  the  IUT  using  Input  Type  5. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Set  the  input  block  I;  equal  to  the  value  of  Q. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  the  output  block  (),.  This 
involves  processing  I,  through  the  DEA  stageDEA3  in  the  decrypt  state  using 
KEY3,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into  the 
DEA  stage  DEA2  in  the  encrypt  state  using  KEY2,  resulting  in  intermediate  value 
TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEY1,  resulting  in  O  . 

c.  Calculate  the  plaintext  P,  by  exclusive-ORing  Oj  with  IV. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  Q,  and  the  resulting  P,  to  the  TMOVS  as  specified  in 
Output  Type  2. 

e.  Set  Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 

in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values. 
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5.2.2.3 


The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  - 
TCBC  Mode 


Table  21  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  TCBC 

Mode 


TMOVS:  Initialize  KEYs:  KEYli  =  KEY2i  =  KEY3i  =  8001010101010101  (odd 

parity  set) 

IV =0000000000000000 
If  encryption  is  supported  by  the  IUT: 

Send  KEY!  (representing  KEYlb  KEY2,,  and  KEY3i),  IV 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Q  values  (where  i=l.. 56):  C  values  in  Table  A. 2 

Send  KEY!  (representing  KEYli,  KEY2i,  and  KEY3i),  IV,  Ci,  C2,...,  C56 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Ci  =  first  value  from  output  of  Variable  Key  Known  Answer  Test 
for  the  Encryption  Process 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  64 

{ 

IF  (i  mod  8  ^  0)  {process  every  bit  except  parity  bits} 

{ 

Perform 
Triple 
DES: 


Send  i,  KEYi  (representing  KEYli,  KEY2„  and  KEY30,  IV,  Q,  R 


Ii  =  C, 

Ii  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3i, 
resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,.  resulting  in  TEMP2 
TEMP2  is  decrypted  by  DEAi  using  KEYlj,  resulting  in  O, 

Pi  =  Oi  ®  IV 
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KEYlj+i  =  KEY2j+i  =  KEY3  i+i  =  vector  consisting  of  "0"  in  every 
significant  bit  position  except  for  a  single  "1"  bit  in  the  i+lth  position. 

NOTE  —  odd  parity  is  set. 

If  encryption  is  supported  by  the  IUT: 

Ci+i  =  corresponding  Ci+]  from  output  of  Variable  Key  Known 
Answer  Test  for  the  Encryption  Process 

else 

Ci+i  =  corresponding  Ci+i  value  from  TMOVS 

} 

} 

TMOVS:  Compare  results  of  the  56  decryptions  with  known  answers. 

Should  be  P=0000000000000000  for  all  56  rounds. 


Table  21  illustrates  the  Variable  Key  Known  Answer  Test  for  the  TCBC  Decryption  Process. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin= 
KEY2,  bin=  KEY3i  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  If  the  IUT  does  not  support  encryption,  the  C,  values  are  initialized  with  the  56 
constant  C  values  from  Table  A.2. 

d.  If  encryption  is  not  supported  by  the  IUT,  the  KEY  (representing  KEY1,  KEY2, 
and  KEY3),  IV,  and  the  56  C  values  are  forwarded  to  the  IUT,  as  specified  in 
Input  Type  5.  Otherwise,  the  KEY1,  KEY2,  KEY3,  and  IV  are  forwarded  to  the 
IUT,  as  specified  in  Input  Type  6. 

2.  The  IUT  should: 
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a.  If  encryption  is  supported,  initialize  the  Ci  value  with  the  first  C  value  retained 

from  the  Variable  KEY  Known  Answer  Test  for  the  Encryption  Process  for  the 

TCBC  Mode  (Section  5.2. 1.3).  Otherwise,  use  the  first  value  received  from  the 

TMOVS. 

b.  Perform  the  following  for  i  =  1  to  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 

1)  Set  the  input  block  f  equal  to  the  value  of  Q. 

2)  Using  the  corresponding  KEY U,  KEY2i,  and  KEY3i  parameters,  process  I, 
through  the  three  DEA  stages  resulting  in  the  output  block  (),.  This 
involves  processing  I,  through  the  DEA  stage  DEA3  in  the  decrypt  state 
using  KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2j, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the 
DEA  stage  DEAi  in  the  decrypt  state  using  KEY  1 ,,  resulting  in  Op 

3)  Calculate  the  plaintext  P;  by  exclusive-ORing  O;  with  IV. 

4)  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing 
KEYli,  KEY2i,  and  KEY3;),  IV,  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  2. 

5)  Set  KEYlj+i,,  KEY2i+i,,  and  KEY3i+i,,  equal  to  the  vector  consisting  of  "0" 
in  every  significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 
The  parity  bits  may  contain  "1"  or  "0"  to  make  odd  parity. 

NOTE  -  KEY  1  i+1  =  KEY2.+1  =  KEY3,+i. 

6)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  Ci+i  value 
retained  from  the  Variable  Key  Known  Answer  Test  for  the  Encryption 
Process  for  TCBC  mode.  If  encryption  is  not  supported  by  the  IUT,  set 
Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  56  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values.  The  P  results  should  be  all  zeros. 
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5.2.2A 


Permutation  Operation  Known  Answer  Test  for  Decryption  Process  - 
TCBC  Mode 


Table  22  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  - 

TCBC  Mode 


TMOVS:  Initialize  KEYI;  =  KEY2,  =  KEY3,  (where  i=1..32)  =  32  KEY  values  in 

Table  A. 3 

IV  =  0000000000000000 
If  encryption  is  supported  by  the  IUT: 

Send  IV,  KEYi,  KEY2,...,KEY32  (Since  all  three  keys  are  the  same,  these 

key  values  represent  the  values  of  KEYI,  KEY2,  and  KEY3.) 

If  encryption  not  supported  by  the  IUT: 

Initialize  Cj  (where  i=1..32)  =  corresponding  C  values  in  Table  A. 3 

Send  IV,  KEYi,  Ci,  KEY2,  C2,...,KEY32,  C32  (The  key  values  represent 

the  values  of  KEYI,  KEY2,  and  KEY3.) 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Ci  =  first  value  retained  from  Permutation  Operation  Known 
Answer  Test  for  the  Encryption  Process 

Otherwise,  use  the  first  value  received  from  the  TMOVS. 

FOR  i  =  1  to  32 

{ 

Perform 
Triple 
DES: 


KEYli+i  =  KEY2i+i  =  KEY3i+i  =  corresponding  KEYi+i  supplied  by 


I,  =  C, 

Ii  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 
resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,.  resulting  in  TEMP2 
TEMP2  is  decrypted  by  DEAi  using  KEYI;,  resulting  in  O, 

Pi  =  Oi  ®  IV 

Send  i.  KEY,  (representing  KEY!,,  KEY2„  and  KEY3,),  IV,  C„  P, 
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TMOVS 


If  encryption  is  supported: 

Ci+i  =  corresponding  Ci+i  from  output  of  Permutation  Operation  Known 
Answer  Test  for  the  Encryption  Process 

else 

Ci+i  =  corresponding  Ci+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Should  be  P=0000000000000000  for  all  32  rounds. 


Table  22  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  TCBC  Decryption 

Process. 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY1,  KEY2,  and  KEY3  variables  are 
initialized  with  the  32  constant  KEY  values  from  Table  A. 3.  If  the  IUT  does  not 
support  encryption,  the  KEY-ciphertext  (KEY-C)  pairs  are  initialized  with  the  32 
constant  KEY-C  pairs  from  Table  A. 3. 

NOTE  -  KEY1=KEY2=KEY3. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  If  encryption  is  supported  by  the  IUT,  the  32  KEY  values  for  KEY1,  KEY2,  and 
KEY3,  and  the  IV  value  are  forwarded  to  the  IUT  using  Input  Type  12.  If 
encryption  is  not  supported  by  the  IUT,  the  32  KEY  and  C  pairs  and  the  IV  value 
are  forwarded  to  the  IUT  using  Input  Type  11. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C;  value  with  the  first  C  value  retained 
from  the  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process 
for  the  TCBC  Mode  (Section  5. 2. 1.4).  Otherwise,  use  the  first  value  received  from 
the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  32: 
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1)  Set  the  input  block  I,  equal  to  the  value  of  Q. 

2)  Using  the  corresponding  KEY li,KEY2j,  and  KEY3j  values,  process  I; 
through  the  three  DEA  stages  resulting  in  output  block  Oj.  This  involves 
processing  E  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly  into 
the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2;,  resulting  in 
intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  DEA  stage 
DEA!  in  the  decrypt  state  using  KEY  1 ,,  resulting  in  (),. 

3)  Calculate  the  plaintext  P;  by  exclusive-ORing  O,  with  IV. 

4)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  IV,  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  2. 

5)  Assign  a  new  value  to  KEYli+i,  KEY2i+1,  and  KEY3i+i  by  setting  them 
equal  to  the  corresponding  KEYi+i  value  supplied  by  the  TMOVS. 

NOTE  -  KEY1=KEY2=KEY3. 

6)  If  encryption  is  supported,  set  Ci+1  equal  to  the  corresponding  Ci+1  value 
retained  from  the  Permutation  Operation  Known  Answer  Test  for  the 
Encryption  Process  for  the  TCBC  mode.  If  encryption  is  not  supported,  set 
Ci+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY-C  values  are  passed  as  specified  in  Input  Type  1 1,  or  all  32 

KEY  values  are  passed  as  specified  in  Input  Type  12.  The  output  from  the  IUT  for  this  test  should  consist  of  32  output  strings. 

Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values.  The  P  results  should  be  all  zeros. 
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5 .2.2.5 


Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 
TCBC  Mode 


Table  23  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 

TCBC  Mode 


TMOVS:  Initialize  KEY1, ,  KEY2,  KEYS,  (where  i=l..  19)=  19  KEY  values  in  Table  A.4 

IV  =  0000000000000000 

If  encryption  is  supported  by  the  IUT: 

Send  IV,  KEY i,  KEY2,...,KEY ,9  (Since  all  three  keys  are  the  same,  these 

key  values  represent  the  values  of  KEY1,  KEY2,  and  KEY3.) 

If  encryption  not  supported: 

Initialize  C;  (where  i=1..19)=  19  C  values  in  Table  A.4 

Send  IV,  KEY i,  Ci,  KEY2,  C2,...,KEY i9,  Ci9  (These  key  values  represent 

the  values  of  KEY1,  KEY2,  and  KEY3.) 

IUT:  If  encryption  is  supported: 

Initialize  Ci  =  first  C  value  retained  from  the  Substitution  Table  Known  Answer 
Test  for  the  Encryption  Process. 

Otherwise,  use  the  first  value  received  from  the  TMOVS 

FOR  i  =  1  to  19 

{ 

Perform 
Triple 
DES: 


Send  i,  KEYj,  IV,  Ci,  P,  (where  KEYj  represents  the  value  of  KEY1,  KEY2 
and  KEY3) 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  corresponding  KEYi+i  supplied  by 


Ii  =  Ci 

Ii  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3i,  resulting 
in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2,.  resulting  in  TEMP2 
TEMP2  is  decrypted  by  DEAi  using  KEYlj,  resulting  in  O, 

P1=0,  ®  IV 
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TMOVS 

If  encryption  is  supported: 

Ci+i  =  corresponding  C  from  output  of  Substitution  Table  Known  Answer 
Test  for  the  Encryption  Process  for  the  TCBC  mode 

else 

Q+i  =  corresponding  Ci+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  See  Table  A. 4. 


As  summarized  in  Table  23,  the  Substitution  Table  Known  Answer  Test  for  the  TCBC 
Decryption  Process  is  performed  as  follows: 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY1,  KEY2,  and  KEY3  variables  are 
initialized  with  the  19  constant  KEY  values  from  Table  A.4.  If  the  IUT  does  not 
support  encryption,  the  KEY-ciphertext  (KEY-C)  pairs  are  initialized  with  the  19 
constant  KEY-C  pairs  from  Table  A. 4. 

NOTE  -  KEY  1  =KE Y 2=KE  Y  3 . 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  If  encryption  is  supported  by  the  IUT,  the  IV  and  the  19  KEY  values  for  KEY1, 
KEY2,  and  KEY3  are  forwarded  to  the  IUT  using  Input  Type  12.  Otherwise,  if 
encryption  is  not  supported  by  the  IUT,  the  IV  and  the  19  KEY-C  pairs  are 
forwarded  to  the  IUT  using  Input  Type  11. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  Ci  value  with  the  first  C  value  retained 
from  the  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  for 
the  TCBC  Mode  (Section  5. 2. 1.5).  Otherwise,  use  the  first  C  value  received  from 
the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  19: 

1)  Set  the  input  block  I;  equal  to  the  value  of  C,. 
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2)  Using  the  corresponding  KEYlj,KEY2j,  and  KEY3i  values,  process  E 
through  the  three  DEA  stages  resulting  in  the  output  block  (),.  This 
involves  processing  I,  through  the  DEA  stage  DEA3  in  the  decrypt  state 
using  KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2j, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the 
DEA  stage  DEAi  in  the  decrypt  state  using  KEY  1 ,,  resulting  in  (),. 

3)  Calculate  the  plaintext  P;  by  exclusive-ORing  O,  with  IV. 

4)  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing 
KEY1,  KEY2,  and  KEY3),  IV,  Q,  and  the  resulting  P,  to  the  TMOVS  as 
specified  in  Output  Type  2. 

5)  Set  KEYli+1,  KEY2i+1,  and  KEY3i+i  equal  to  the  next  key  supplied  by  the 
TMOVS. 

6)  If  encryption  is  supported,  set  Ci+i  equal  to  the  corresponding  Ci+i  value 
retained  from  the  Substitution  Table  Known  Answer  Test  for  the 
Encryption  Process  for  the  TCBC  mode.  If  encryption  is  not  supported,  set 
Cj+i  equal  to  the  corresponding  Ci+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-C  pairs,  as  specified  in  Input  Type  1 1,  or  all  19  KEY  values, 
as  specified  in  Input  Type  12,  are  processed.  The  output  from  the  IUT  for  this  test  should  consist  of  19  output  strings.  Each 
output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5. 2.2.6 


Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC  Mode 


Table  24  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC  Mode 

TMOVS:  Initialize  KEY10,  KEY20,  KEY30,  IV,  C0 

Send  KEYlo,  KEY20,  KEY30,  IV,  C0 

IUT:  FOR  i  =  0  TO  399 

{ 

If  (i==0)  CV0  =  IV 

Record  i,  KEYli,  KEY2„  KEY3;,  CV0,  C0 
FOR  j  =  0  TO  9,999 
{ 

Perform 

Triple  DES:  Ij  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3i? 
resulting  in  TEMPI 

TEMPI  is  encrypted  by  DEA2  using  KEY2j,  resulting  in 
TEMP2 

TEMP2  is  decrypted  by  DEAi  using  KEY1 ,,  resulting  in  O, 

Pj  =  Oj  ®  CVj 
CVJ+1  =  Cj 
CJ+1  =  Pi 

} 

Record  Pj 

Send  i,  KEYli,  KEY2„  KEY3„  CV0,  C0,  P, 

KEYli+i  =  KEYli  ©  Pj 

IF  (KEYli  and  KEY2,  are  independent  and  KEY3;  =  KEY1;)  or  (KEYli, 
KEY2j,  and  KEY3j  are  independent), 

KEY21+1=  KEY2,  0  P^ 


ELSE 

KEY2i+1=  KEY2,  ®  Pj 

IF  (KEY1;  =KEY2,  =KEY3j)  or  (KEY1;  and  KEY2,  are  independent  and 
KEY3;  =  KEY10, 

KEY3i+i=  KEY3j  ®  P, 

ELSE 

KEY3i+i=  KEY3,  ®  Pj_2 
CVo  =  Cj 
Co  =  P.i 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  24,  the  Monte  Carlo  Test  for  the  TCBC  Decryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vector 
IV,  and  the  ciphertext  C  variables.  All  variables  consist  of  64  bits. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  21. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CV0  equal 
to  IV. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1*,  KEY2,.  KEY3j, 
CV0  and  C0. 

c.  Perform  the  following  for  j  =  0  through  9999: 

1)  Set  the  input  block  I,  equal  to  the  value  of  Cj. 

2)  Using  the  corresponding  KEY  1  ,.KEY2,.  and  KEY3i  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  the  output  block  O,.  This 
involves  processing  Ij  through  the  DEA  stage  DEA3  in  the  decrypt  state 
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using  KEY3j,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  DEA  stage  DEA2  in  the  encrypt  state  using  KEY2,. 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the 
DEA  stage  DEA,  in  the  decrypt  state  using  KEY1 ,,  resulting  in  0,. 

3)  Calculate  the  plaintext  P,  by  exclusive-ORing  Oj  with  CVr 

4)  Prepare  for  loop  j+1  by: 

a)  Assigning  CVj+i  with  the  current  value  of  Cj. 

b)  Assigning  Cj+i  with  the  current  value  of  Pj. 

d.  Record  Pj. 

e.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  6  to 
the  TMOVS. 

f.  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop.  Note  j  =  9999. 

The  new  KEYli+i  should  be  calculated  by  exclusive-ORing  the  current  KEYlj  with 
the  Pj. 

The  new  KEY2i+]  calculation  is  based  on  the  values  of  the  keys.  If  KEYlj  and 
KEY2;  are  independent  and  KEY3j  =  KEYlj,  or  KEYlj,  KEY2j,  and  KEY3j  are 
independent,  the  new  KEY2i+i  should  be  calculated  by  exclusive-ORing  the  current 
KEY2;  with  the  P^.  If  KEYli=KEY2i=KEY31,  the  new  KEY2i+1  should  be 
calculated  by  exclusive-ORing  the  current  KEY2j  with  the  Pj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If  KEYlj, 
KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  Pj_2.  If  KEYlj  and  KEY2j  are 
independent  and  KEY3;  =  KEYlj,  or  if  KEYlj=KEY2j=KEY3j,  the  new  KEY31+i 
should  be  calculated  by  exclusive-ORing  the  current  KEY3j  with  the  Pj. 

g.  Assign  a  new  value  to  CV0  in  preparation  for  the  next  outer  loop.  CV0  should  be 
assigned  the  value  of  the  current  Cj.  Note  j  =  9999. 

NOTE  —  the  new  CV  should  be  denoted  as  CVo  to  be  used  for  the  first  pass  through  the  inner  loop  when 

h.  Assign  a  new  value  to  C0  in  preparation  for  the  next  outer  loop.  C0  should  be 
assigned  the  value  of  the  current  Pj.  Note  j  =  9999. 

NOTE  —  the  new  C  should  be  denoted  as  Co  to  be  used  for  the  first  pass  through  the  inner  loop  when  j=0. 


NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  6. 
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The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 


5.3  Cipher  Block  Chaining  Mode  -  Interleaved  (TCBC-I) 


The  IUTs  in  the  Cipher  Block  Chaining  mode  -  Interleaved  (TCBC-I)  are  validated  by 
successfully  completing  a  series  of  Known  Answer  tests  and  Monte  Carlo  tests  corresponding  to 
the  cryptographic  processes  allowed  by  the  IUT. 

The  interleaved  configuration  is  intended  for  systems  equipped  with  multiple  DEA  processors.  By 
interleaving  the  data,  throughput  is  improved  and  propagation  delay  is  minimized  by  initializing 
the  three  individual  DEA  stages  and  then  simultaneously  clocking  them.  Thus,  with  each  clock 
cycle,  data  is  processed  by  each  DEA;  stage  (where  i  =  1,  2,  3)  and  passed  onward  to  the  output 
buffer  or  the  next  stage  so  that  idle  DEA,  stages  are  minimized. 

The  processing  for  each  Known  Answer  test  and  Monte  Carlo  Test  is  broken  down  into  clock 
cycles  Tl,  T2,  T3....  Within  each  clock  cycle,  the  processing  occurring  on  each  active  DEA  is 
discussed.  For  convenience,  let  KEY1  represent  the  key  used  on  processor  DEAi,  KEY2 
represent  the  key  used  on  processor  DEA2,  and  KEY3  represent  the  key  used  on  processor 

dea3. 

5.3.1  Encryption  Process 

The  process  of  validating  an  IUT  which  implements  the  TCBC-I  mode  of  operation  in  the 
encryption  process  involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Plaintext  Known  Answer  Test  -  TCBC-I  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  TCBC-I  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TCBC-I  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  TCBC-I 

mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  TCBC-I  mode 

6.  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC-I  mode 
An  explanation  of  the  tests  follows. 
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5.3. 1.1  The  Variable  Plaintext  Known  Answer  Test  -  TCBC-I  Mode 

Table  25  The  Variable  Plaintext  Known  Answer  Test  -  TCBC-I  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555  (based  on  specifications  in  ANSI  X9.52 
-  1998) 

IV3  =  AAAAAAAAAAAAAAAA  (based  on  specifications  in 
ANSI  X9.52  -  1998) 

Pli =  P2i =  P3i =  8000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1,  IV2,  IV3,  Pli, 

P2i,P3, 

IUT:  FOR  i  =  1  to  64 


Tl:  Il^PliSIVl 

Perform  Triple 

DES:  Ili  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 

resulting  in  TEMPli 

T2:  I2i=  P2i  ®  IV2 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP2i 

TEMPI  i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  I3i=P3i®IV3 

13 j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

TEMPO  is  encrypted  by  DEA3  using  KEY3,  resulting  in  Clj 
T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
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TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C2i 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C3j 

Send  i,  KEY  (representing  KEY1 .  KEY2,  and  KEY3),  IV1,  IV2,  IV3,  II;, 
12;,  and  I3;,  Cli,C2i,C3i 

PI  1 1 1  —  P2i+i  —  P3i+i  —  basrs  vector  where  srngle  1  brt  rs  rn  posrtron  i-T  1 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  See  Table  A. 5. 


Table  25  illustrates  the  Variable  Plaintext  Known  Answer  Test  for  the  TCBC-I  mode  of 

operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2heX=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  R,  mod  264  where  R1=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  64-bit  plaintext  values  PI  1,  P2i,  P3i  to  the  basis  vector  containing  a 
"1"  in  the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  PI  1  bin  =  P2i 
bin  =  P3,  bin  =  10000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00 
00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

NOTE  —  the  processing  for  each  clock  cycle  Tr  is  displayed. 


a. 


At  clock  cycle  Tl: 

1)  Calculate  the  input  block  II;  by  exclusive-ORing  PI;  with  IV1. 
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2)  Process  II;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

1)  Calculate  the  input  block  12;  by  exclusive-ORing  P2;  with  IV2. 

2)  Process  12;  through  the  first  DEA  stage,  denoted  DEA;,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMP2;. 

3)  Process  TEMPI;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP12. 

At  clock  cycle  T3: 

1)  Calculate  the  input  block  13;  by  exclusive-ORing  P3;  with  IV3. 

2)  Process  13;  through  the  first  DEA  stage,  denoted  DEA;,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMP3;. 

3)  Process  TEMP2;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMP12  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  Cl;. 

At  clock  cycle  T4: 

1)  Process  TEMP2?  through  the  third  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  C2;. 

2)  Process  TEMP3;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP3?  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  C3;. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY  1, 
KEY2,  and  KEY3),  IV1,  IV2,  IV3,  II;,  12;,  13;,  and  the  resulting  Cl;,  C2i?  and  C3;, 
to  the  TMOVS  as  specified  in  Output  Type  3. 

c.  Retain  Cl;,  C2;,  and  C3;,  for  use  with  the  Inverse  Permutation  Known  Answer 
Test  for  the  TCBC-I  Mode  (Section  5.3. 1.2  ),  and,  if  the  IUT  supports  the 
decryption  process,  for  use  with  the  Variable  Ciphertext  Known  Answer  Test  for 
the  TCBC-I  Mode  (Section  5.3.2. 1). 
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d.  Assign  a  new  value  to  Pli+i,  P2i+j,  and  P3i+i,  by  setting  them  equal  to  the  value  of 
a  basis  vector  with  a  "1"  bit  in  position  i+1,  where  i+l=2,...,64. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  P  variables,  i.e.,  64  times.  The  output 
from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  Cl 
results  to  the  known  values  found  in  Table  A.  5. 
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5.3. 1.2  The  Inverse  Permutation  Known  Answer  Test  -  TCBC-I  Mode 

Table  26  The  Inverse  Permutation  Known  Answer  Test  -  TCBC-I  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555  (based  on  specifications  in  ANSI  X9.52  - 
1998) 

IV3  =  AAAAAAAAAAAAAAAA  (based  on  specifications  in  ANSI 
X9.52  -  1998) 

Pkj  (where  k=1..3  and  i=1..64)  =  64  corresponding  Ck,  values  from 
Variable  Plaintext  Known  Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1,  IV2,  IV3, 

Pli,...,Pl64,  P2i,...,P264,  P3i,...,P364 

IUT:  FOR  i  =  1  to  64 

{ 

~TE  Il^PkeiVl 

Perform 

Triple  DES:  Ili  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 

resulting  in  TEMPli 

T2:  I2i=  P2i  ©  IV2 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  13 i=  P3;  ©  IV3 

13 j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

TEMPO  is  encrypted  by  DEA3  using  KEY3,  resulting  in  Clj 
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T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  C3j 

Send  i,  Key  (representing  KEY1,  KEY2,  and  KEY3),  IV1,  IV2,  IV3,  Pl„ 
P2i,  P3j,  Cli,C2i,C3i 

Pki+i  (where  k=1..3)  =  corresponding  Cki+i  from  TMOVS 

} 

TMOVS:  Compare  Cl,  C2,  and  C3  results  from  each  loop  with  known  answers.  See  Table 

A. 6. 

Cl  should  be  the  set  of  basis  vectors. 


Table  26  illustrates  the  Inverse  Permutation  Known  Answer  Test  for  the  TCBC-I  mode  of 
operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  R,  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  64-bit  plaintext  values  PI,  P2,  P3  to  the  64-bit  ciphertext  values  Cl, 
C2,  and  C3  respectively,  obtained  from  the  Variable  Plaintext  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  15. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 


NOTE  -  the  processing  for  each  clock  cycle  Tt  is  displayed. 

a.  At  clock  cycle  Tl: 
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1)  Calculate  the  input  block  II;  by  exclusive-ORing  PI;  with  IV 1. 

2)  Process  II;  through  the  first  DEA  stage,  denoted  DEA;,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI;. 

At  clock  cycle  T2: 

1)  Calculate  the  input  block  12;  by  exclusive-ORing  P2;  with  IV2. 

2)  Process  12;  through  the  first  DEA  stage,  denoted  DEA;,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMP2;. 

3)  Process  TEMPI;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMPO. 

At  clock  cycle  T3: 

1)  Calculate  the  input  block  13;  by  exclusive-ORing  P3;  with  IV3. 

2)  Process  13;  through  the  first  DEA  stage,  denoted  DEA;,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMP3;. 

3)  Process  TEMP2;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMPI?  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  Cl;. 

At  clock  cycle  T4: 

1)  Process  TEMP2?  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  C2;. 

2)  Process  TEMP3;  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP3?  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,  resulting  in  the  ciphertext  value  C3;. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (which  represents  KEY1, 

KEY2,  and  KEY3),  IV1,  IV2,  IV3,  PI;,  P2;,  and  P3;,  and  the  resulting  Cl;,  C2;, 

and  C3;,  to  the  TMOVS  as  specified  in  Output  Type  3. 

c.  Assign  a  new  value  to  the  plaintext  values,  Pli+1,  P2i+1,  and  P3i+1,  by  setting  them 

equal  to  the  corresponding  output  from  the  TMOVS. 
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NOTE  —  This  processing  continues  until  all  ciphertext  values  from  the  Variable  Plaintext  Known  Answer  Test  have  been  used 
as  input.  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  3. 


3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  Cl,  C2, 
and  C3  results  to  known  values.  The  Cl  values  should  be  the  set  of  basis  vectors.  See 
Table  A.6. 
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5.3. 1.3 


The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  - 
TCBC-I  Mode 


Table  27 


TMOVS: 


IUT: 


The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  TCBC-I 

Mode 

Initialize  KEY  1 ,  =  KEY2,  =  KEY3,  =  8001010 101010 101  (odd  parity 

set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 

PI  =  P2  =  P3  =  0000000000000000 

Send  KEY!  (representing  KEYH,  KEY2,,  and  KEY3i),  IV1,  IV2, 

IV3,  PI,  P2,  P3 


FOR  i  =  1  to  64 

{ 


IF  (i  mod  8^0)  {process  every  bit  except  parity  bits} 

{ 


Perform 

Triple 

DES: 


Tl:  Ili=Pl®IVl 

Ili  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYli,  resulting  in  TEMPI i 

T2:  I2i=  P2  ©  IV2 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYli,  resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2;,  resulting  in 
TEMPO 

T3:  I3;=  P3  ©  IV3 

13 i  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYli,  resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2j ,  resulting  in 
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TEMP22 

TEMPI 2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in 
Cl, 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in 
C2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3i,  resulting  in 
C3i 


Send  i,  KEY,  (representing  KEY1;,  KEY2„  and  KEY3,),  IV1,  IV2, 
IV3,  PI,  P2,  P3,  Cl;,  C2b  C3, 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 

NOTE  —  the  parity  bits  are  “0"  or  “1"  to  set  odd  parity. 


TMOVS:  Compare  results  of  the  3  triple  DES  encryptions  per  56  different  keys  with  known 

answers.  SeeTableA.il. 


Table  27  illustrates  the  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  for  the 
TCBC-I  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin  = 
KEY2,  bin  =  KEY3,  bin  =  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or'T"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameters,  IV1,  IV2,  and  IV3.  IV1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  R,  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
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55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 


c.  Initializes  the  P  parameters  PI,  P2,  and  P3  to  the  constant  hexadecimal  value  0, 
i.e.,  Plhex=P2hex=P3hex=00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 

NOTE  -  the  processing  for  each  clock  cycle  Ti  is  displayed. 


a.  At  clock  cycle  Tl : 

1)  Calculate  the  input  block  II;  by  exclusive-ORing  PI  with  IV 1. 

2)  Process  II;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY1 ,,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

1)  Calculate  the  input  block  12;  by  exclusive-ORing  P2  with  IV2. 

2)  Process  I2i  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY1 ,,  resulting  in  intermediate  value  TEMP2i. 

3)  Process  TEMPI  i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMP12. 

At  clock  cycle  T3: 

1)  Calculate  the  input  block  I3i  by  exclusive-ORing  P3  with  IV3. 

2)  Process  13;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY1 ,,  resulting  in  intermediate  value  TEMP3i. 

3)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMPO  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,,  resulting  in  the  ciphertext  value  CO 

At  clock  cycle  T4: 

1)  Process  TEMP22  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,,  resulting  in  the  ciphertext  value  C2,. 
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2)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP3?  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3,,  resulting  in  the  ciphertext  value  C3,. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (which  represents  KEY  1 ,, 
KEY2;,  and  KEY3;),  IV1,  IV2,  IV3,  PI,  P2,  and  P3,  and  the  resulting  Cl;,  C2i; 
and  C3i,  to  the  TMOVS  as  specified  in  Output  Type  3. 

c.  If  the  IUT  supports  the  decryption  process,  retain  Cl,  C2,  and  C3  for  use  with  the 
Variable  KEY  Known  Answer  Test  for  the  Decryption  Process  for  the  TCBC-I 
Mode  (Section  5. 3. 2. 3). 

d.  Assign  a  new  value  to  KEYli+i,  KEY2i+i,  and  KEY3i+i,  by  setting  them  equal  to 
the  vector  consisting  of  "0"  in  every  significant  bit  position  except  for  a  single  "1" 
bit  in  position  i+1.  The  parity  bits  may  contain  "1"  or  "0"  to  make  odd  parity. 

NOTE  —  The  above  processing  continues  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameters,  i.e., 
56  times.  The  output  from  the  IUT  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information 
included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values  found  in  Table  A.ll. 
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5.3. 1.4  Permutation  Operation  Known  Answer  Test  for  the  Encryption 

Process  -  TCBC-I  Mode 

Table  28  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC-I  Mode 

TMOVS:  Initialize  KEY1 ,  =KEY2,  =  KEY3,  (where  i=l  ..32)  =  32  KEY  values  from 

Table  A.  12 

IV 1 =0000000000000000 
IV2  =  5555555555555555 
IV3  =  AAAAAAAAAAAAAAAA 
PI  =  P2  =  P3  =  0000000000000000 
Send  P  (where  P  represents  the  values  of  PI,  P2,  and  P3), 

IV1,  IV2,  and  IV3, 

KEYi,  KEY2,...,  KEY32  (where  KEY  represents  the  values  of  KEY1, 
KEY2,  and  KEY3) 

IUT:  FOR  i  =  1  to  32 


Tl:  Ili=Pl®IVl 

Process 

Triple  DES:  Ili  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYlj, 

resulting  in  TEMPli 

T2:  I2i=  P2  ®  IV2 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMP2i 

TEMPI  1  is  decrypted  by  DEA2  using  KEY2j,  resulting  in 
TEMPO 

T3:  I3;=  P3  ©  IV3 

13 i  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYlj, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2, ,  resulting  in 
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TEMP22 

TEMP12  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  Cl; 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,.  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  C2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  C3; 

Send  i,  KEY;  (representing  KEY1;,  KEY2„  and  KEY3;),  IV1,  IV2,  IV3,  PI, 
P2,  P3,  Cli,C2i,C3i 

KEYli+i  =  KEY2i+]  =  KEY3i+i  =  KEY1+1  from  TMOVS 

} 

TMOVS:  Compare  results  with  known  answers.  See  Table  A.  12. 


Table  28  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process 
for  the  TCBC-I  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  KEY3i  to  the  32  constant  KEY 
values  from  Table  A.  12. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  Rj  mod  264  where  R!=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  P  parameters  PI,  P2,  and  P3  to  the  constant  hexadecimal  value  0, 
i.e.,  Plhex=P2hex=P3hex=00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  18. 

2.  The  IUT  should  perform  the  following  for  i=l  through  32: 


NOTE  -  that  the  processing  for  each  clock  cycle  T;  is  displayed. 

a.  At  clock  cycle  Tl: 
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1)  Calculate  the  input  block  Ilj  by  exclusive-ORing  PI  with  IV 1. 

2)  Process  Ilj  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

1)  Calculate  the  input  block  I2j  by  exclusive-ORing  P2  with  IV2. 

2)  Process  12;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMP2i. 

3)  Process  TEMPI!  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMPO. 

At  clock  cycle  T3: 

1)  Calculate  the  input  block  I3j  by  exclusive-ORing  P3  with  IV3. 

2)  Process  I3j  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 

state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMP3i. 

3)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMPO  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3i,  resulting  in  the  ciphertext  value  Clj. 

5)  Set  ciphertextl  Clj  equal  to  the  value  of  00 

At  clock  cycle  T4: 

1)  Process  TEMP22  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3j,  resulting  in  the  ciphertext  value  C2j. 

2)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2,,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP32  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3i,  resulting  in  the  ciphertext  value  C3j. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (which  represents  KEY1, 

KEY2,  and  KEY3),  IV1,  IV2,  IV3,  PO  P2„  and  P3j,  and  the  resulting  CO  C2i? 

and  C3j,  to  the  TMOVS  as  specified  in  Output  Type  3. 
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c.  If  the  IUT  supports  the  decryption  process,  retain  Cl;,  C2,,  and  C3j  for  use  with 
the  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  for  the 
TCBC-I  Mode  (Section  5.3.2.4). 

d.  Assign  a  new  value  to  KEYli+1,  KEY2i+1,  and  KEY3i+i,  by  setting  them  equal  to 
the  next  key  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  continues  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  should  consist  of  32 
output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.  12. 
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5.3. 1.5  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC-I  Mode 

Table  29  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 

TCBC-I  Mode 

TMOVS:  Initialize  KEY  1 ,  =KEY2,  =  KEY3,  (where  i=1..19)  =  19  KEY  values  from 

Table  A. 8 

Pli  =P2;  =  P3j  (where  i=1..19)  =  19  corresponding  P  values  from 
Table  A. 8 

IV 1  =  0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 

Send  IV1,  IV2,  and  IV3, 

Pi,  P2,...,  Pi9(where  P  represents  the  values  of  PI,  P2,  and  P3), 

KEYi,  KEY2,...,  KEY19  (where  KEY  represents  the  values  of  KEY1, 
KEY2,  and  KEY3) 

IUT:  FOR  i  =  1  to  19 


Perform 

Triple 

DES: 


Tl:  Il^PliSIVl 

Ill  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYlj, 
resulting  in  TEMPli 

T2:  I2i=  P2,  ©  IV2 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMP2i 

TEMPI  1  is  decrypted  by  DEA2  using  KEY2j,  resulting  in 
TEMPO 

T3:  13 ;=  P3j  ©  IV3 

I3j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMP3i 
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TEMP2i  is  decrypted  by  DEA2  using  KEY2; ,  resulting  in 
TEMP22 

TEMP12  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  Clj 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2j,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  C2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  C3j 

Send  i,  KEY,  (representing  KEY1;,  KEY2,  and  KEY3,),  IV1,  IV2,  IV3, 
Pli,  P2j,  P3i,  Cli.C2i.C3i 

KEY  li+i  =  KEY2i+1  =  KEY3i+i  =  KEYi+1  from  TMOVS 
PI  i+i  —  —  P3i+i  —  corresponding  Pi+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  See  Table  A. 8. 


Table  29  illustrates  the  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  of  the 

TCBC-I  mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  KEY3  to  the  19  constant  KEY 
values  from  Table  A. 8. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  Rj  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  P  parameters  PI,  P2,  and  P3  to  the  19  constant  P  values  from  Table 
A. 8. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  19. 

2.  The  IUT  should  perform  the  following  for  i=l  through  19: 

NOTE  —  the  processing  for  each  clock  cycle  Tt  is  displayed. 
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a.  At  clock  cycle  T1 : 

1)  Calculate  the  input  block  Ilj  by  exclusive-ORing  Plj  with  IV 1 . 

2)  Process  Ilj  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEYlj,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

1)  Calculate  the  input  block  I2j  by  exclusive-ORing  P2,  with  IV2. 

2)  Process  12;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1;,  resulting  in  intermediate  value  TEMP2, . 

3)  Process  TEMPI  i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2j,  resulting  in  intermediate  value  TEMPO. 

At  clock  cycle  T3: 

1)  Calculate  the  input  block  I3j  by  exclusive-ORing  P3,  with  IV3. 

2)  Process  I3j  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEYlj,  resulting  in  intermediate  value  TEMP3i. 

3)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2j,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMPO  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3j,  resulting  in  the  ciphertext  value  Clj.. 

At  clock  cycle  T4: 

1)  Process  TEMP22  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3j,  resulting  in  the  ciphertext  value  C2j. 

2)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
decrypt  state  using  KEY2j,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP32  through  the  third  DEA  stage,  denoted  DEA3,  in  the 
encrypt  state  using  KEY3„  resulting  in  the  ciphertext  value  C3j. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY  1 ,, 

KEY2i,  and  KEY33,  IV1,  IV2,  IV3,  Plj,  P2j,  P3j,  and  the  resulting  Clj,  C2„  and 

C3j,  to  the  TMOVS  as  specified  in  Output  Type  3. 
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c.  If  the  IUT  supports  the  decryption  process,  retain  Cl,  C2,  and  C3  for  use  with  the 
Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  for  the  TCBC- 
I  Mode  (Section  5. 3. 2. 5). 

d.  Assign  a  new  value  to  KEYli+i,  KEY2i+1,  and  KEY3i+]  by  setting  them  equal  to 
the  next  key  supplied  by  the  TMOVS. 

e.  Assign  a  new  value  to  Pli+i,  P2i+i,  and  P3i+i  by  setting  them  equal  to  the 
corresponding  P  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  continues  until  all  19  KEY-P  values  are  processed.  The  output  from  the  IUT  should  consist  of 

19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A. 8. 
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5.3. 1.6  Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC-I  Mode 

Table  30  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCBC-I  Mode 


TMOVS:  Initialize  KEY10,  KEY20,  KEY30,  IV1,  IV2,  IV3,  P10,P20,  P30 

Send  KEYlo,  KEY20,  KEY30,  IV1,  IV2,  IV3,  P10,P20,  P30 

IUT:  FOR  i  =  0  TO  399 

{ 

If  (i==0) 

FOR  k  =  1  TO  3 
CVk0  =  IVk 

Record  i,  KEYO  KEY2„  KEY3;,  CV1„,  CV20,  CV30,  Pl0,  P20,  P30 
FOR  j  =  0  TO  9,999 
{ 

TF  Ilj=  Plj  ®  CVlj  _______________ 

Ilj  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEY lj,  resulting  in  TEMPI i 

T2:  I2j=  P2j  ®  CV2j 

I2j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEY  1;,  resulting  in  TEMP2i 

TEMPI  i  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMPO 

T3:  I3j=  P3j  ®  CV3j 

I3j  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEY  F,  resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2, ,  resulting  in 
TEMP22 

TEMPO  is  encrypted  by  DEA3  using  KEY3j,  resulting  in 

Cl, 


Perform 

Triple 

DES: 
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ELSE 

KEY3i+i=  KEY3j  ©  C3j_2 
FOR  k  =  1  TO  3 
{ 

Pk0  =  Ckj_, 

CVk0  =  Ckj 

} 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  30,  the  Monte  Carlo  Test  for  the  TCBC-I  Encryption  Process  is 

performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vectors 
IV1,  IV2,  and  IV3,  and  the  plaintext  variables  PI,  P2,  and  P3.  The  P,  IV,  and 
KEY  parameters  consist  of  64  bits  each.  IV2  is  assigned  the  value  of  IVl+Ri  mod 
264  where  Ri  =  5555555555555555.  IV3  is  assigned  the  value  of  IV1+R2  mod  264 
where  R2  =  AAAAAAAAAAAAAAAA. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  22. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CV 10  equal 
to  the  IV 1,  CV20  equal  to  the  IV2,  and  CV3o  equal  to  the  IV3. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1;,  KEY2j,  KEY3j, 
CVlo,  CV20,  CV30,  and  Pl0,  P20,  P30. 

c.  Perform  the  following  for  j  =0  through  9999: 

NOTE  —  the  processing  for  each  clock  cycle  Tt  is  displayed. 


1 )  At  clock  cycle  T 1 : 

a)  Calculate  the  input  block  Ilj  by  exclusive-ORing  Plj  with  CV lj. 
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b)  Process  II,  through  the  first  DEA  stage,  denoted  DEAi,  in  the 

encrypt  state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

a)  Calculate  the  input  block  12,  by  exclusive-ORing  P2,  with  CV2,. 

b)  Process  12,  through  the  first  DEA  stage,  denoted  DEA,,  in  the 
encrypt  state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMP2i. 

c)  Process  TEMPI  i  through  the  second  DEA  stage,  denoted  DEA2,  in 
the  decrypt  state  using  KEY2j,  resulting  in  intermediate  value 
TEMPI  2. 

At  clock  cycle  T3: 

a)  Calculate  the  input  block  13,  by  exclusive-ORing  P3,  with  CV3j. 

b)  Process  13,  through  the  first  DEA  stage,  denoted  DEAi,  in  the 
encrypt  state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMP3i. 

c)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in 
the  decrypt  state  using  KEY2j,  resulting  in  intermediate  value 
TEMP22. 

d)  Process  TEMPI?  through  the  third  DEA  stage,  denoted  DEA3,  in 
the  encrypt  state  using  KEY3i,  resulting  in  the  ciphertext  value  Clj. 

At  clock  cycle  T4: 

a)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in 
the  decrypt  state  using  KEY2j,  resulting  in  intermediate  value 
TEMP3?. 

b)  Process  TEMP2?  through  the  third  DEA  stage,  denoted  DEA3,  in 
the  encrypt  state  using  KEY3i,  resulting  in  the  ciphertext  value  C2,. 

At  clock  cycle  T5: 

a)  Process  TEMP3?  through  the  third  DEA  stage,  denoted  DEA3,  in 
the  encrypt  state  using  KEY3i,  resulting  in  the  ciphertext  value  C3,. 

2)  Prepare  for  loop  j+1  by  doing  the  following: 

a)  If  the  inner  loop  being  processed  is  the  first  loop,  i.e.,  j=0,  assign 
Plj+i,  P2j+i,  and  P3j+i,  with  the  current  value  of  CV10,  CV20,  and 
CV30,  respectively.  Otherwise,  assign  Plj+i  with  Clj_i,  P2j+i  with 
C2j_i,  and  P3j+]  with  C3j_i. 
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b)  Assign  CVlj+i,  CV2j+i,  CV3j+i,  with  the  current  value  of  Clj,  C2j, 
C3j,  respectively. 

d.  Record  the  Clj,  C2j,  C3j. 

e.  Forward  all  recorded  information  from  this  loop,  as  specified  in  Output  Type  4,  to 
the  TMOVS. 

f.  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop.  Note  j  =  9999. 

The  new  KEYli+1  should  be  calculated  by  exclusive-ORing  the  current 
KEY  1;  with  the  Clj. 

The  new  KEY2i+i  calculation  is  based  on  the  values  of  the  keys.  If  KEY lj 
and  KEY2;  are  independent  and  KEY3,  =  KEYlj,  or  KEYlj,  KEY2;,  and 
KEY3j  are  independent,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2;  with  the  C2j_i.  If 
KEYli=KEY2i=KEY3i,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2,  with  the  Clj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If 
KEYli,  KEY2j,  and  KEY3i  are  independent,  the  new  KEY3j+i  should  be 
calculated  by  exclusive-ORing  the  current  KEY3i  with  the  C3j_2.  If  KEY  lj 
and  KEY2;  are  independent  and  KEY3i  =  KEY  lj,  or  if 
KEYli=KEY2i=KEY3i,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  Clj. 

g.  Assign  new  values  to  CV 10,  CV20,  and  CV30,  in  preparation  for  the  next  outer 
loop.  CVlo,  CV20,  and  CV30  should  be  assigned  the  value  of  the  current  Clj,  C2,, 
and  C3j. 

NOTE  —  the  new  CV  should  be  denoted  as  CVo  because  this  value  is  used  for  the  first  pass  through  the 
inner  loop  when  j=0. 

h.  Assign  a  new  value  to  Pl0,  P20,  and  P30  in  preparation  for  the  next  output  loop. 
Plo  should  be  assigned  the  value  of  the  C lj-i -  P20  should  be  assigned  the  value  of 
the  C2j_i,  and  P30  should  be  assigned  the  value  of  the  C3j_i. 

NOTE  —  the  new  P  variables,  PI,  P2,  and  P3  should  be  denoted  as  Plo,  P2o,  and  P3o,  respectively,  to  be 
used  for  the  first  pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  4. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 
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5.3.2  Decryption  Process 

The  process  of  validating  an  IUT  for  the  TCBC-I  mode  which  implements  the  decryption  process 
involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Ciphertext  Known  Answer  Test  -  TCBC-I  mode 

2.  The  Initial  Permutation  Known  Answer  Test  -  TCBC-I  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  TCBC-I  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  -  TCBC-I 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  TCBC-I  mode 

6.  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC-I  mode 
An  explanation  of  the  tests  follows. 
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5.3.2. 1 


The  Variable  Ciphertext  Known  Answer  Test  -  TCBC-I  Mode 


Table  31  The  Variable  Ciphertext  Known  Answer  Test  -  TCBC-I  Mode 


TMOVS:  Initialize  KEY1  =KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555  (based  on  specifications  in  ANSI 
X9.52  -  1998) 

IV3  =  AAAAAAAAAAAAAAAA  (based  on  specifications  in 
ANSI  X9.52  -  1998) 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1JV2JV3 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Ckj  (where  k=1..3  and  i=1..64)  =  Ck  values  in  Table  A. 5 

Send  Cli,Cl2,...,Cl64,  C2,,  C22,...,C264  C3h  C32,...,C364 

IUT:  If  encryption  is  supported: 

Initialize  CO,  C2i,  C3i  =  corresponding  values  from  output  of  Variable 

Plaintext  Known  Answer  Test. 

Otherwise,  use  the  corresponding  values  received  from  the  TMOVS. 

FOR  i  =  1  to  64 

{ 

Hi  =  Cli 

Ili  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMP  1 , 

12,  =  C2i 

I2j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3,  resulting  in  TEMP2i 

TEMPI  i  is  encrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

13;  =  C3i 


Process 

Triple 

DES: 


Tl: 


T2: 


T3: 
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13  i  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

TEMP  1 2  is  decrypted  by  DEAi  using  KEY1,  resulting  in  01, 

Pli  =  01i®IVl 

T4:  TEMP3i  is  encrypted  by  DEA2  using  KEY2,  resulting  in 

TEMP32 

TEMP22  is  decrypted  by  DEAi  using  KEY1,  resulting  in  02; 
P2;=  02,  ©  IV2 

T5:  TEMP32  is  decrypted  by  DEA;  using  KEY1,  resulting  in  03; 

P3;=  03,  ©  IV3 

Send  i.  KEY  (representing  KEY  1 .  KEY2,  and  KEY3),  IV1,  IV2,  IV3, 
Cl;,  C2„  C3„  PI;,  P2;,  P3, 

If  encryption  is  supported: 

Ckj+i  (where  k=1..3)  =  corresponding  Cki+i  from  output  of  Variable 
Plaintext  Known  Answer  Test 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Should  be  the  set  of  basis 

vectors. 


Table  31  illustrates  the  Variable  Ciphertext  Known  Answer  Test  for  the  TCBC-I  mode  of 
operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
01  01  01  01  01  01. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
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IV1  +  Ri  mod  264  where  R;=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  If  the  IUT  does  not  support  encryption,  the  64  constant  ciphertext  values  Cl,  C2, 
and  C3  are  initialized  with  the  corresponding  64  constant  Cl,  C2,  and  C3  values 
from  Table  A. 5. 

d.  If  encryption  is  supported  by  the  IUT,  the  KEYs  and  the  IVs  are  forwarded  to  the 
IUT,  as  specified  in  Input  Type  14.  If  encryption  is  not  supported  by  the  IUT,  the 
KEYs,  the  IVs,  and  the  64  Cl;,  C2,.  and  C3;  values  are  forwarded  to  the  IUT  using 
Input  Type  15. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  C  values  CU,  C2i,  and  C3i,  with  the 
corresponding  CU,  C2i,  and  C3i  values  retained  from  the  Variable  Plaintext 
Known  Answer  Test  for  the  TCBC-I  Mode  (Section  5.3. 1.1).  Otherwise,  use  the 
first  values  received  from  the  TMOVS. 

b.  Perform  the  following  for  i  =  1  through  64: 

NOTE  —  the  processing  for  each  clock  cycle  Tr  is  displayed. 


At  clock  cycle  Tl: 

1)  Set  the  input  block  II;  equal  to  the  value  of  CU 

2)  Process  II;  through  the  DEA  stage  DEA3,  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMPI  i. 

At  clock  cycle  T2: 

1)  Set  the  input  block  12;  equal  to  the  value  of  C2;. 

2)  Process  12;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMP2i. 

3)  Process  TEMPI  i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMPD. 

At  clock  cycle  T3: 

1)  Set  the  input  block  13;  equal  to  the  value  of  C3;. 

2)  Process  13;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMP3;. 
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3)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMP12  through  the  DEA  stage  DEAi  in  the  decrypt  state  using 
KEY1,  resulting  in  the  output  block  01,. 

5)  Calculate  the  plaintext  P 1 ,  by  exclusive-ORing  Olj  with  IV 1. 

At  clock  cycle  T4: 

1)  Process  TEMP22  through  the  DEA  stage  DEAi  in  the  decrypt  state  using 
KEY1,  resulting  in  the  output  block  02,. 

2)  Calculate  the  plaintext  P2,  by  exclusive-ORing  02j  with  IV2. 

3)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP32  through  the  DEA  stage  DEAi  in  the  decrypt  state  using 
KEY1,  resulting  in  the  output  block  03j. 

2)  Calculate  the  plaintext  P3,  by  exclusive-ORing  03j  with  IV3. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY  (which  represents  KEY1, 
KEY2,  and  KEY3),  IV1,  IV2,  IV3,  Cl„  C2„  and  C3„  and  the  resulting  Plt,  P2i 
and  P3i  as  specified  in  Output  Type  3. 

d.  Retain  PI;,  P2,.  and  P3,,  for  use  with  the  Initial  Permutation  Known  Answer  Test 
for  the  TCBC-I  Mode  (Section  5. 3. 2. 2  ). 

e.  If  encryption  is  supported,  set  Cli+i,  C2i+1,  and  C3i+]  equal  to  the  corresponding 
output  from  the  Variable  Plaintext  Known  Answer  Test  for  the  TCBC-I  mode.  If 
encryption  is  not  supported,  assign  new  values  to  Cli+i,  C2i+1,  and  C3i+],  by  setting 
them  equal  to  the  corresponding  C  values  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values.  The  values  of  the  PI,  P2,  and  P3  variables  should  be  the  set  of  basis 
vectors. 
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53.2.2 


The  Initial  Permutation  Known  Answer  -  TCBC-I  Mode 


Table  32  The  Initial  Permutation  Known  Answer  Test  -  TCBC-I  Mode 


TMOVS:  Initialize 


Send 


KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 


Ckj  (where  k=1..3  and  i=1..64)  =  64  corresponding  Pkj  values  from 
Variable  Ciphertext  Known  Answer  Test 


KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1,  IV2,  IV3, 
Cllv..,Cl64,  C21v..,C264,  C31v..,C364 


IUT:  FOR  i  =  1  to  64 

{ 


Perform 

Triple 

DES: 


Tl:  Ilj  =  Cli 

Ili  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMPli 


T2:  12,  =  C2, 


I2j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMP2i 

TEMPli  is  encrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  I3i  =  C3, 


13  i  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3, 
resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

TEMPO  is  decrypted  by  DEAi  using  KEY1,  resulting  in  0 1 , 


Pl,  =  01i®IVl 
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T4:  TEMP3i  is  encrypted  by  DEA2  using  KEY2,  resulting  in 

TEMP32 

TEMP22  is  decrypted  by  DEAi  using  KEY  1,  resulting  in  02; 

P2;=  02,  ®  IV2 

T5:  TEMP32  is  decrypted  by  DEAi  using  KEY  1,  resulting  in  03; 

P3;=  03,  ©  IV3 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1,  IV2,  IV3,  Cl;, 
C2„  C3;,  P1;,P2„P3, 

Ck  ;+i  (where  k=1..3)  =  corresponding  Pki+i  from  TMOVS 

} 

TMOVS:  Compare  Cl,  C2,  and  C3  results  from  each  loop  with  known  answers. 

See  Table  A. 7. 


Table  32  illustrates  the  Initial  Permutation  Known  Answer  Test  for  the  TCBC-I  mode  of 
operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
01  01  01  01  01  01. 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  R,  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV 1  +  R?  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  64-bit  ciphertext  values  Cl;,  C2;,  and  C3;  to  the  corresponding 
plaintext  values  PI;,  P2;,  and  P3;,  respectively,  obtained  from  the  Variable 
Ciphertext  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  15. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 
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NOTE  —  the  processing  for  each  clock  cycle  Tt  is  displayed. 


a. 


At  clock  cycle  Tl: 

1)  Set  the  input  block  II  j  equal  to  the  value  of  Clj. 

2)  Process  If  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMPI  i. 

At  clock  cycle  T2: 

1)  Set  the  input  block  I2j  equal  to  the  value  of  C2j. 

2)  Process  I2j  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMP2i. 

3)  Process  TEMPI  i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP12. 

At  clock  cycle  T3: 

1)  Set  the  input  block  I3i  equal  to  the  value  of  C3,. 

2)  Process  I3i  through  the  DEA  stage  DEA3  in  the  decrypt  state  using  KEY3, 
resulting  in  intermediate  value  TEMP3i. 

3)  Process  TEMP2i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP22. 

4)  Process  TEMP12  through  the  DEA  stage  DEAi,  in  the  decrypt  state  using 
KEY  1,  resulting  in  the  output  block  Olj. 

5)  Calculate  the  plaintext  Plj  by  exclusive-ORing  Olj  with  IV 1. 

At  clock  cycle  T4: 

1)  Process  TEMP22  through  the  DEA  stage  DEAi  in  the  decrypt  state  using 
KEY  1,  resulting  in  the  output  block  02i. 

2)  Calculate  the  plaintext  P2,  by  exclusive-ORing  02j  with  IV2. 

3)  Process  TEMP3i  through  the  second  DEA  stage,  denoted  DEA2,  in  the 
encrypt  state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

1)  Process  TEMP32  through  the  DEA  stage  DEAi  in  the  decrypt  state  using 
KEY  1,  resulting  in  the  output  block  03,. 
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2)  Calculate  the  plaintext  P3,  by  exclusive-ORing  03i  with  IV3. 


b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (which  represents  KEY1, 
KEY2,  and  KEY3),  IV1,  IV2,  IV3,  Ch,  C2„  and  C3„  and  the  resulting  Pl„  P2, 
and  P3i  as  specified  in  Output  Type  3. 

c.  Set  Clj+i,  C2i+i,  and  C3i+i  equal  to  the  corresponding  output  supplied  by  the 
TMOVS. 

NOTE  —  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included 
in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  Cl,  C2, 
and  C3  results  to  the  known  values.  See  Table  A.7. 
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5.3.2.3 


The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  - 
TCBC-I  Mode 


Table  33 


TMOVS: 


IUT: 


The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  TCBC-I 

Mode 

Initialize  KEY1  ,=  KEY2,  =  KEY3,  =  800 1 0 1 0 1010 1 0 1 0 1  (odd  parity  set) 

IV 1 =0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 


If  encryption  supported  by  IUT : 

Send  KEYi  (representing  KEY1,.  KEY2,,  and  KEY3i),  IV1,  IV2,  IV3 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Ckj  (where  k=1..3  and  i=1..56)  =  Ck  values  in  Table  A.ll 

Send  KEY!  (representing  KEYU,  KEY2,,  and  KEY3i),  IV1,IV2,IV3, 

C1,,...,C156,  C21,...,C256,  C3,,...,C356 


If  encryption  is  supported  by  the  IUT: 

Initialize  Cki  (where  k=1..3)  =  corresponding  values  from  output  of  Variable 
Key  Known  Answer  Test  for  the  Encryption  Process. 

Otherwise,  use  the  corresponding  value  received  from  the  TMOVS. 

FOR  i  =  1  to  64 


{ 

If  (i  mod  8^0)  {process  every  bit  except  parity  bits} 

{ 

Hi  =  Cli 

Ili  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3j,  resulting  in  TEMP  1 1 

12,  =  C2i 

I2j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 


Perform 

Triple 

DES: 


Tl: 


T2: 
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KEY3i,  resulting  in  TEMP2i 

TEMPli  is  encrypted  by  DEA2  using  KEY2;,  resulting  in 
TEMPI  2 

T3:  I3i  =  C3j 

13  i  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3j,  resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP22 

TEMP  1 2  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in 

Ob 

Pli  =  01i®IVl 

T4:  TEMP3i  is  encrypted  by  DEA2  using  KEY2,,  resulting  in 

TEMP32 

TEMP22  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in 

02, 

P2;=  02,  ©  IV2 

T5:  TEMP32  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in 

03, 

P3i=  03,  ©  IV3 


Send  i,  KEY;  (representing  KEY1;,  KEY2„  and  KEY3,),  IV1,  IV2,  IV3, 
Cli,  C2„  C3„  Pli,  P2„  P3, 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  “1"  bit  in  the  i+lth  position. 

NOTE  —  odd  parity  is  set. 

If  encryption  is  supported: 

Assign  Cli+i,  C2i+i,  and  C3i+i  to  corresponding  Cli+i,  C2i+],  and 
C3i+i  values  from  Variable  Key  Known  Answer  Test  for  the 
Encryption  Process 

else 


Ck  i+i  (where  k=1..3)  =  corresponding  Cki+]  value  from 


TMOVS 


} 


} 

TMOVS:  Compare  results  from  the  56  decryptions  with  known  answers.  Should  be  PI  =  P2  = 

P3  =  0  for  all  56  rounds. 


Table  33  illustrates  the  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  TCBC-I 
mode  of  operation. 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin= 
KEY2,  bin=  KEY3!  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameters,  IV1,  IV2,  and  IV3.  IV1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  R,  mod  264  where  R1=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV 1  +  R?  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hCx=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  If  the  IUT  does  not  support  encryption,  Cli?  C2,,  and  C3,  values  are  initialized 
with  the  constant  Clj,  C2;,  and  C3;  values  from  Table  A.ll  where  i=1..56. 

d.  If  encryption  is  not  supported  by  the  IUT,  KEY  (representing  KEY1,  KEY2,  and 
KEY3),  IV1,  IV2,  and  IV3,  and  the  56  Cl,  C2,  and  C3  values  are  forwarded  to 
the  IUT,  as  specified  in  Input  Type  15.  Otherwise,  the  KEY  (representing  KEY1, 
KEY2,  and  KEY3),  IV1,  IV2,  and  IV3  are  forwarded  to  the  IUT,  as  specified  in 
Input  Type  14. 

2.  The  IUT  should: 

a.  If  encryption  is  supported,  initialize  the  CU,  C2i,  and  C3i  values  with  the  first 
corresponding  Cl,  C2,  and  C3  values  retained  from  the  Variable  KEY  Known 
Answer  Test  for  the  Encryption  Process  for  the  TCBC-I  Mode  (Section  5.3. 1.3). 
Otherwise,  use  the  first  values  received  from  the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  56: 
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NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 

NOTE  —  the  processing  for  each  clock  cycle  Tt  is  displayed. 

1 )  At  clock  cycle  T 1 : 

a)  Set  the  input  block  II;  equal  to  the  value  of  Cl;. 

b)  Process  Ilj  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

a)  Set  the  input  block  12;  equal  to  the  value  of  C2;. 

b)  Process  12;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMP2i. 

c)  Process  TEMPI  i  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2j,  resulting  in  intermediate  value  TEMPI?. 

At  clock  cycle  T3: 

a)  Set  the  input  block  13;  equal  to  the  value  of  C3;. 

b)  Process  13;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3;,  resulting  in  intermediate  value  TEMP3;. 

c)  Process  TEMP2;  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP22. 

d)  Process  TEMPI?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEY1;,  resulting  in  the  output  block  01;. 

e)  Calculate  the  plaintext  PI;  by  exclusive-ORing  01;  with  IV 1. 

At  clock  cycle  T4: 

a)  Process  TEMP2?  through  the  DEA  stage  DEA;  in  the  decrypt  state 
using  KEY1;,  resulting  in  the  output  block  02;. 

b)  Calculate  the  plaintext  P2;  by  exclusive-ORing  02;  with  IV2. 

c)  Process  TEMP3;  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP3?. 

At  clock  cycle  T5: 
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a)  Process  TEMP32  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEYli,  resulting  in  the  output  block  03j. 

b)  Calculate  the  plaintext  P3j  by  exclusive-ORing  03i  with  IV3. 

2)  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing 
KEYli,  KEY2„  and  KEY3;),  IV1,  IV2,  IV3,  Cl;,  C2„  C3i;  and  the 
resulting  PI;,  P2,.  and  P3i  to  the  TMOVS  as  specified  in  Output  Type  3. 

3)  Set  KEYlj+i,,  KEY2i+i.,  and  KEY3i+i,,  equal  to  the  vector  consisting  of  "0" 
in  every  significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 
The  parity  bits  may  contain  "1"  or  "0"  to  make  odd  parity. 

NOTE  — KEY  1  i+i  =  KEY2.+1  =  KEY3.+,. 

4)  If  encryption  is  supported,  set  the  C  values  Cli+i,  C2i+i,  and  C3i+i,  equal  to 
the  corresponding  Cli+i,  C2i+i,  and  C3i+i  values  retained  from  the  Variable 
KEY  Known  Answer  Test  for  the  Encryption  Process  for  TCBC-I  mode.  If 
encryption  is  not  supported  by  the  IUT,  set  Cli+i,  C2i+i,  and  C3i+]  equal  to 
the  corresponding  Cli+i,  C2i+i,  and  C3i+i,  values  supplied  by  the  TMOVS. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  56  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values.  The  PI,  P2,  and  P3  results  should  be  all  zeros. 
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5.3.2.4  Permutation  Operation  Known  Answer  Test  for  the  Decryption 

Process  -  TCBC-I  Mode 

Table  34  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  - 

TCBC-I  Mode 

TMOVS:  Initialize  KEYI ,  =KEY21  =  KEY3,  (where  i=l  ..32)  =  32  KEY  values  from 

Table  A.  12 

IV 1  =  0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 

If  encryption  is  supported  by  the  IUT: 

Send  IV1,  IV2,  and  IV3 

KEYi,  KEY2,...,  KEY32  (where  KEY  represents  the  values  of 
KEY1,  KEY2,  and  KEY3) 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Ck;  (where  k=l  ..3  and  i=l  ..32)  =  corresponding  Ck,  values  from 

Table  A.  12 

Send  IV1,  IV2,  and  IV3, 

KEYi,  KEY2,...,  KEY32  (where  KEY  represents  the  values  of 
KEYI,  KEY2,  and  KEY3) 

C1,,...,C132,  C21v..,C232,  C31v..,C332 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  CU,  C2i,  C3i  values  with  corresponding  values  retained  from 

Permutation  Operation  Known  Answer  Test  for  Encryption 
Process. 

Otherwise,  use  the  first  values  received  from  the  TMOVS. 

FOR  i  =  1  to  32 


{ 


Ili  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3i, 
resulting  in  TEMPli 

T2:  12,  =  C2i 

I2j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 
resulting  in  TEMP2i 

TEMPli  is  encrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMPI  2 

T3:  13,  =  C3, 

I3j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3i, 
resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2, ,  resulting  in 
TEMP22 

TEMP  1 2  is  decrypted  by  DEAi  using  KEY1;,  resulting  in  Olj 
Pli=01i®IVl 

T4:  TEMP3i  is  encrypted  by  DEA2  using  KEY2i5  resulting  in 

TEMP32 

TEMP22  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in  02i 
P2,=  02,  ®  IV2 

T5:  TEMP32  is  decrypted  by  DEAi  using  KEY  1;,  resulting  in  03j 

P3;=  03,  ©  IV3 

Send  i,  KEY,  (representing  KEYli,  KEY2„  and  KEY3,),  IV1,  IV2,  IV3, 
Cli,  C2„  C3„  Pli,  P2„  P3, 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  corresponding  KEYi+i  supplied  from 
TMOVS 

If  encryption  is  supported: 

Cki+i  (where  k=  1.. 3)  =  corresponding  Cki+i  from  Permutation 
Operation  Known  Answer  Test  for  the  Encryption  Process 

else 
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Cki+i  (where  k=1..3)  =  corresponding  Cki+i  from  TMOVS 


} 

TMOVS:  Compare  results  with  known  answers.  Results  should  be  P1=P2=P3=0. 


Table  34  illustrates  the  Permutation  Operation  Known  Answer  Test  for  the  TCBC-I  Decryption 

Process. 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY  1 KEY2,.  and  KEY3i  variables  are 
initialized  with  the  32  constant  KEYj  values  from  Table  A.  12.  If  the  IUT  does  not 
support  encryption,  the  KEY  variables,  KEYlj,  KEY2,,  and  KEY3j,  and  the  C 
variables,  Cl,  C2,  and  C3  are  initialized  with  the  32  constant  KEY  and  Cl,  C2,  and 
C3  values  from  Table  A.  12. 

NOTE  -  KEY  1  =KE Y 2=KE Y  3 . 

b.  Initializes  the  64-bit  IV  parameters,  IV1,  IV2,  and  IV3.  IV1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  Rj  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  If  encryption  is  supported  by  the  IUT,  the  32  KEY  values  for  KEY1,  KEY2,  and 
KEY3,  and  the  IV1,  IV2,  and  IV3  values  are  forwarded  to  the  IUT  using  Input 
Type  16.  If  encryption  is  not  supported  by  the  IUT,  the  32  KEY,  Cl,  C2,  and  C3 
groups  and  the  IV 1,  IV2,  and  IV3  values  are  forwarded  to  the  IUT  using  Input 
Type  17. 

2.  The  IUT  should: 

a.  If  encryption  is  supported  by  the  IUT,  initialize  the  CU,  C2i,  and  C3i  values  with 
the  first  CU,  C2i,  and  C3i  values  retained  from  the  Permutation  Operation  Known 
Answer  Test  for  the  Encryption  Process  for  the  TCBC-I  Mode  (Section  5.3. 1.4). 
Otherwise,  use  the  first  values  received  from  the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  32: 

NOTE  —  the  processing  for  each  clock  cycle  Ti  is  displayed. 


1 )  At  clock  cycle  T 1 : 

a)  Set  the  input  block  II;  equal  to  the  value  of  Clj. 
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b)  Process  II;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

a)  Set  the  input  block  12;  equal  to  the  value  of  C2,. 

b)  Process  12;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3i,  resulting  in  intermediate  value  TEMP2i. 

c)  Process  TEMPI  i  through  the  DEA  stage  DEA2  in  the  encrypt  state 
using  KEY2i,  resulting  in  intermediate  value  TEMP12. 

At  clock  cycle  T3: 

a)  Set  the  input  block  13;  equal  to  the  value  of  C3;. 

b)  Process  13;  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3;,  resulting  in  intermediate  value  TEMP3;. 

c)  Process  TEMP2;  through  the  DEA  stage  DEA2  in  the  encrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP2?. 

d)  Process  TEMP12  through  the  DEA  stage  DEA;  in  the  decrypt  state 
using  KEY1;,  resulting  in  the  output  block  01;. 

e)  Calculate  the  plaintext  PI;  by  exclusive-ORing  01;  with  IV 1 . 

At  clock  cycle  T4: 

a)  Process  TEMP2?  through  the  DEA  stage  DEA;  in  the  decrypt  state 
using  KEY  1;,  resulting  in  the  output  block  02;. 

b)  Calculate  the  plaintext  P2;  by  exclusive-ORing  02;  with  IV2. 

c)  Process  TEMP3;  through  the  DEA  stage  DEA2  in  the  encrypt  state 
using  KEY2j,  resulting  in  intermediate  value  TEMP32. 

At  clock  cycle  T5: 

a)  Process  TEMP32  through  the  DEA  stage  DEA;  in  the  decrypt  state 
using  KEY1;,  resulting  in  the  output  block  03;. 

b)  Calculate  the  plaintext  P3;  by  exclusive-ORing  03;  with  IV3. 

2)  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing 

KEYlj,  KEY2;,  and  KEY3,),  IV1,  IV2,  IV3,  Cl;,  C2;,  C3„  and  the 

resulting  PI;,  P2;,  and  P3;  to  the  TMOVS  as  specified  in  Output  Type  3. 
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3)  Assign  new  values  to  KEYlj+i,,  KEY2i+i,,  and  KEY3i+i.  by  setting  them 
equal  to  the  corresponding  KEY  values  supplied  by  the  TMOVS. 

NOTE  -  KEY  1  =KE Y 2=KE Y  3 . 

4)  If  encryption  is  supported,  set  the  C  values  Cli+i,  C2i+1,  and  C3i+i  equal  to 
the  corresponding  Cli+i,  C2i+i,  and  C3i+i  values  retained  from  the 
Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  for 
TCBC-I  mode.  If  encryption  is  not  supported  by  the  IUT,  set  Cli+i,  C2i+1, 
and  C3i+i  equal  to  the  corresponding  Cli+i,  C2i+i,  and  C3i+i,  values 
supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  resulting  PI,  P2,  and  P3  results  should  be  all  zeros. 
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5.3.2.5  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 
TCBC-I  Mode 

Table  35  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  - 

TCBC-I  Mode 

TMOVS:  Initialize  KEYI ,  =KEY2,  =  KEY3,  (where  i  =  1..19)  =  19  KEY  values  from 

Table  A. 8 

IV 1 =0000000000000000 

IV2  =  5555555555555555 

IV3  =  AAAAAAAAAAAAAAAA 

If  encryption  is  supported  by  the  IUT: 

Send  IV1,  IV2,  and  IV3, 

KEYi,  KEY2,...,  KEY19  (where  KEY  represents  the  values  of 
KEY1,  KEY2,  and  KEY3) 

If  encryption  is  not  supported  by  the  IUT: 

Initialize  Ck;  (where  k=  1.. 3  and  where  i=l„  19)  =  corresponding  Ck;  values 

from  Table  A. 8 

Send  IV1,  IV2,  and  IV3, 

KEYi,  KEY2,...,  KEY19  (where  KEY  represents  the  values  of 
KEYI,  KEY2,  and  KEY3) 

C1,,...,C119,  C21,...,C219,  C31v..,C319 

IUT:  If  encryption  is  supported  by  the  IUT: 

Initialize  Cl  i,  C2i,  C3i  values  retained  from  Substitution  Table  Known 

Answer  Test  for  Encryption  Process. 

Otherwise,  use  the  first  values  received  from  the  TMOVS. 

FOR  i  =  1  to  19 


Ili  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 
resulting  in  TEMPli 

T2:  12,  =  C2i 

I2i  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 
resulting  in  TEMP2i 

TEMPli  is  encrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMPI  2 

T3:  13 1  =  C3j 

I3i  is  read  into  TDEA  and  is  decrypted  by  DEA3  using  KEY3j, 
resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2, ,  resulting  in 
TEMP22 

TEMP  1 2  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in  Olj 
Pli=01i®IVl 

T4:  TEMP3i  is  encrypted  by  DEA2  using  KEY2i,  resulting  in 

TEMP32 

TEMP22  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting  in  02, 
P2i=  02,  ©  IV2 

T5:  TEMP32  is  decrypted  by  DEAi  using  KEY  1;,  resulting  in  03j 

P3i=  03,  ©  IV3 

Send  i,  KEY,  (representing  KEYli?  KEY2„  and  KEY3;),  IV1,  IV2,  IV3, 
Cli,  C2„  C3„  Pli,P2„P3, 

KEYli+i  =  KEY2i+i  =  KEY3i+i  =  corresponding  KEYi+i  supplied  from 
TMOVS 

If  encryption  is  supported: 

Cki+i  (where  k=  1.. 3)  =  corresponding  Cki+i  from  output  of 
Substitution  Table  Known  Answer  Test  for  the  Encryption 
Process 


else 
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Cki+i  (where  k=  1.. 3)  =  corresponding  Cki+i  values  from 
TMOVS 


} 

TMOVS:  Compare  results  with  known  answers. 


Table  35  illustrates  the  Substitution  Table  Known  Answer  Test  for  the  TCBC-I  Decryption 
Process. 

1.  The  TMOVS: 

a.  If  the  IUT  supports  encryption,  the  KEY  1 ,.  KEY2,,  and  KEY3j  variables  are 
initialized  with  the  19  constant  KEY  values  from  Table  A. 8.  If  the  IUT  does  not 
support  encryption,  the  KEY  variables,  KEY1,  KEY2,  and  KEY3,  and  the  C 
variables,  Cl,  C2,  and  C3  are  initialized  with  the  19  constant  KEY  and  Cl,  C2,  and 
C3  values  from  Table  A. 8. 

NOTE  -  KEY  1  =KE Y 2=KE  Y  3 . 

b.  Initializes  the  64-bit  IV  parameters,  IV 1,  IV2,  and  IV3.  IV 1  is  initialized  to  the 
constant  hexadecimal  value  0,  i.e.,  IVlhex=  00  00  00  00  00  00  00  00.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2  is  computed  by  the  following  equation: 
IV1  +  Rj  mod  264  where  Ri=5555555555555555,  i.e.,  IV2hex  =  55  55  55  55  55  55 
55  55.  IV3  is  computed  by  the  equation  IV1  +  R2  mod  264  where 
R2=AAAAAAAAAAAAAAAA,  i.e.,  IV3hex=  AA  AA  AA  AA  AA  AA  AA  AA. 

c.  If  encryption  is  supported  by  the  IUT,  the  19  KEY  values  for  KEY1,  KEY2,  and 
KEY3,  and  the  IV1,  IV2,  and  IV3  values  are  forwarded  to  the  IUT  using  Input 
Type  16.  If  encryption  is  not  supported  by  the  IUT,  the  19  KEY,  Cl,  C2,  and  C3 
groups  and  the  IV 1,  IV2,  and  IV3  values  are  forwarded  to  the  IUT  using  Input 
Type  17. 

2.  The  IUT  should: 

a.  If  encryption  is  supported  by  the  IUT,  initialize  the  Cl,  C2,  and  C3  values  with  the 
first  Cl,  C2,  and  C3  values  retained  from  the  Substitution  Table  Known  Answer 
Test  for  the  Encryption  Process  for  the  TCBC-I  Mode  (Section  5.3. 1.5). 
Otherwise,  use  the  first  value  received  from  the  TMOVS. 

b.  Perform  the  following  for  i  =  1  to  19: 

NOTE  -  the  processing  for  each  clock  cycle  Ti  is  displayed. 

1 )  At  clock  cycle  T 1 : 
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a)  Set  Ilj  equal  to  the  value  of  Clj. 

b)  Process  Ilj  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

a)  Set  12;  equal  to  the  value  of  C2j. 

b)  Process  I2j  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMP2i. 

c)  Process  TEMPI  i  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2j,  resulting  in  intermediate  value  TEMPI?. 

At  clock  cycle  T3: 

a)  Set  13;  equal  to  the  value  of  C3;. 

b)  Process  I3i  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 
KEY3j,  resulting  in  intermediate  value  TEMP3]. 

c)  Process  TEMP2i  through  the  DEA  stage  DEA2  in  the  encrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP2?. 

d)  Process  TEMPI?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEYlj,  resulting  in  the  output  block  O I 

e)  Calculate  the  plaintext  P  I ,  by  exclusive-ORing  01;  with  IV 1. 

At  clock  cycle  T4: 

a)  Process  TEMP2?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEY  1;,  resulting  in  the  output  block  02;. 

b)  Calculate  the  plaintext  P2;  by  exclusive-ORing  02;  with  IV2. 

c)  Process  TEMP3;  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2;,  resulting  in  intermediate  value  TEMP3?. 

At  clock  cycle  T5: 

a)  Process  TEMP3?  through  the  DEA  stage  DEA;  in  the  decrypt  state 
using  KEY1;,  resulting  in  the  output  block  03;. 

b)  Calculate  the  plaintext  P3;  by  exclusive-ORing  03;  with  IV3. 
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2)  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing 
KEYh,  KEY2i,  and  KEY3;),  IV1,  IV2,  IV3,  Cl;,  C2i;  C3i;  and  the 
resulting  PI;,  P2,,  and  P3i  to  the  TMOVS  as  specified  in  Output  Type  3. 

3)  Assign  new  values  to  KEYli+i,,  KEY2i+]j,  and  KEY3i+i,  by  setting  them 
equal  to  the  corresponding  KEYi+i  values  supplied  by  the  TMOVS. 

NOTE  -  KEYli+i  =  KEY2i+i  =  KEY31+i. 

4)  If  encryption  is  supported,  set  the  C  values  Cli+i,  C2i+i,  and  C3i+i  equal  to 
the  corresponding  Cli+i,  C2i+i,  and  C3i+i  values  retained  from  the 
Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  for 
TCBC-I  mode.  If  encryption  is  not  supported  by  the  IUT,  set  Cli+i,  C2i+1, 
and  C3i+i  equal  to  the  corresponding  Cli+i,  C2i+1,  and  C3i+i,  values 
supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY,  Cl,  C2,  and  C3  groups,  as  specified  in  Input  Type  17,  or  all 
19  KEY  values,  as  specified  in  Input  Type  16,  are  processed.  The  output  from  the  IUT  for  this  test  should  consist  of  19  output 
strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5.3.2.6 


Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC-I  Mode 


Table  36  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCBC-I  Mode 

TMOVS  Initialize  KEY10.  KEY20,  KEY30,  IV 1 ,  IV2,  IV3,  C1„,C2„,  C3,» 

Send  KEYlo,  KEY20,  KEY30,  IV1,  IV2,  IV3,  C10,C20,  C30 

IUT:  FOR  i  =  0  TO  399 

{ 

If  (i==0) 

FOR  k=l  to  3 
CVk0  =  IVk 

Record  i,  KEYli;  KEY2„  KEY3j,  CV10,  CV20,  CV30,  Cl0,  C20,  C30 
FOR  j  =  0  TO  9,999 
{ 

~TF  Ilj  =  Clj 

Perform 

Triple  DES:  II j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 

KEY3i,  resulting  in  TEMPI i 

T2:  I2j  =  C2j 

I2j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3j,  resulting  in  TEMP2i 

TEMPI  i  is  encrypted  by  DEA2  using  KEY2,,  resulting 
in  TEMPI 2 

T3:  I3j  =  C3j 

I3j  is  read  into  TDEA  and  is  decrypted  by  DEA3  using 
KEY3i,  resulting  in  TEMP3i 

TEMP2i  is  encrypted  by  DEA2  using  KEY2j ,  resulting 
in  TEMP22 

TEMPO  is  decrypted  by  DEAi  using  KEY  1 ,,  resulting 
in  Olj 


FOR  k=  1  to  3 


{ 

CVkj+1  =  Ckj 
Ckj+i  =  Pkj 

} 

} 

Record  Plj,  P2j,  P3j 

Send  i,  KEY1„  KEY2j,  KEY3;,  CV10,  CV20,  CV30,  Cl0,  C20,  C30  Plj,  P2„ 
P3j 

KEYli+i  =  KEYli  ©  Plj 

IF  (KEYli  and  KEY2,  are  independent  and  KEY3,  =  KEY1;)  or  (KEYli, 
KEY2i,  and  KEY3i  are  independent) 

KEY21+i=  KEY2,  ©  P2j_i 

ELSE 

KEY2i+i=  KEY2,  ©  Pl  j 

IF  (KEYli=  KEY2i=  KEY3;)  or  (KEYli  and  KEY2,  are  independent  and 
KEY3;  =  KEY10 

KEY3i+i=  KEY3j  ©  Pl  j 
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ELSE 

KEY3i+i=  KEY3j  ©  P3j_2 
FOR  k=  1  to  3 
{ 

CVk0  =  Ckj 
Ck0  =  Pkj 

} 

} 

TMOVS  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  36,  the  Monte  Carlo  Test  for  the  TCBC-I  Decryption  Process  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vectors 
IV1,  IV2,  and  IV3,  and  the  ciphertext  variables  Cl,  C2,  and  C3.  The  C  variables, 
the  IV  variables  ,  and  the  KEY  variables  consist  of  64  bits  each.  IV2  is  assigned 
the  value  of  IVl+Ri  mod  264  where  Ri  =  5555555555555555.  IV3  is  assigned  the 
value  of  IV1+R2  mod  264  where  R2  =  AAAAAAAAAAAAAAAA. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  22. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CV 10  equal 
to  the  IV 1,  CV20  equal  to  the  IV2,  and  CV3o  equal  to  the  IV3. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1;,  KEY2,,  KEY3i, 
CVlo,  CV20,  CV30,  and  Cl0,  C20,  C30. 

c.  Perform  the  following  for  j  =0  through  9999: 

NOTE  —  the  processing  for  each  clock  cycle  Tt  is  displayed. 

1 )  At  clock  cycle  T 1 : 
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a)  Set  the  input  block  Ilj  equal  to  the  value  of  Clj. 

b)  Process  II,  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 

KEY3j,  resulting  in  intermediate  value  TEMPI i. 

At  clock  cycle  T2: 

a)  Set  the  input  block  I2j  equal  to  the  value  of  C2j. 

b)  Process  12,  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 

KEY3i,  resulting  in  intermediate  value  TEMP2i. 

c)  Process  TEMPI  i  through  the  DEA  stage  DEA2  in  the  encrypt  state 
using  KEY2i,  resulting  in  intermediate  value  TEMPI?. 

At  clock  cycle  T3: 

a)  Set  the  input  block  I3j  equal  to  the  value  of  C3j. 

b)  Process  13,  through  the  DEA  stage  DEA3  in  the  decrypt  state  using 

KEY3i,  resulting  in  intermediate  value  TEMP3i. 

c)  Process  TEMP2i  through  the  DEA  stage  DEA?  in  the  encrypt  state 
using  KEY2i,  resulting  in  intermediate  value  TEMP22. 

d)  Process  TEMPI?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEYli,  resulting  in  the  output  block  01,. 

e)  Calculate  the  plaintext  PI,  by  exclusive-ORing  Olj  with  IV 1. 

At  clock  cycle  T4: 

a)  Process  TEMP2?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEYli,  resulting  in  the  output  block  02,. 

b)  Calculate  the  plaintext  P2,  by  exclusive-ORing  02,  with  IV2. 

c)  Process  TEMP3i  through  the  DEA  stage  DEA?  in  the  encrypt  state 

using  KEY2j,  resulting  in  intermediate  value  TEMP3?. 

At  clock  cycle  T5: 

a)  Process  TEMP3?  through  the  DEA  stage  DEAi  in  the  decrypt  state 
using  KEYli,  resulting  in  the  output  block  03,. 

b)  Calculate  the  plaintext  P3,  by  exclusive-ORing  03,  with  IV3. 

2)  Prepare  for  loop  j+1  by  doing  the  following: 
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a)  Assign  CVlj+i,  CV2j+i,  CV3j+i  the  current  value  of  Clj,  C2j,  C3j, 
respectively. 

b)  Assign  Clj+i,  C2j+i,  C3j+i  the  current  value  of  Plj,  P2j,  P3j, 
respectively. 

d.  Record  Plj,  P2,,  P3j. 

e.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  4,  to 
the  TMOVS. 

f.  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop.  Note  j  =  9999. 

The  new  KEYli+i  should  be  calculated  by  exclusive-ORing  the  current 
KEYlj  with  the  Plj. 

The  new  KEY2i+i  calculation  is  based  on  the  values  of  the  keys.  If  KEY lj 
and  KEY2;  are  independent  and  KEY3,  =  KEY  1 or  KEY  1;,  KEY2;,  and 
KEY3j  are  independent,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2,  with  the  P2j_i.  If 
KEYli=KEY2i=KEY3i,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2;  with  the  Plj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If 
KEYli,  KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be 
calculated  by  exclusive-ORing  the  current  KEY3j  with  the  P3j_2.  If  KEY  lj 
and  KEY2;  are  independent  and  KEY3i  =  KEY  1;,  or  if 
KEYli=KEY2i=KEY3i,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  Plj. 

g.  Assign  new  values  to  CV 10,  CV20,  and  CV30,  in  preparation  for  the  next  outer 
loop.  CVlo,  CV20,  and  CV30  should  be  assigned  the  value  of  the  current  Clj,  C2j, 
and  C3j,  respectively. 

NOTE  —  the  new  CV  should  be  denoted  as  CVo  because  this  value  is  used  for  the  first  pass  through  the 
inner  loop  when  j=0. 

h.  Assign  a  new  value  to  Clo,  C20,  and  C3o  in  preparation  for  the  next  output  loop. 
Clo  should  be  assigned  the  value  of  the  Plj.  Likewise,  C20  should  be  assigned  the 
value  of  the  P2,,  and  C30  should  be  assigned  the  value  of  the  P3, . 

NOTE  —  the  new  C  variables.  Cl,  C2,  and  C3  should  be  denoted  as  Clo,  C2o,  and  C3o,  respectively,  to  be 
used  for  the  first  pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  4. 
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The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 


5.4  The  Cipher  Feedback  (TCFB)  Mode 


The  IUTs  in  the  TDES  Cipher  Block  Feedback  (TCFB)  mode  of  operation  are  validated  by 
successfully  completing  (1)  a  set  of  Known  Answer  tests  applicable  to  both  IUTs  supporting 
encryption  and/or  decryption  and  (2)  a  Monte  Carlo  test  for  each  cryptographic  process 
supported  by  the  IUT. 

The  process  of  validating  an  IUT  which  supports  the  K-bit  TCFB  mode  in  either  the  encryption 
and/or  decryption  process  involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Text  Known  Answer  Test  -  K-bit  TCFB  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  K-bit  TCFB  mode 

3.  The  Variable  Key  Known  Answer  Test  -  K-bit  TCFB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  K-bit  TCFB  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  K-bit  TCFB  mode 

6.  The  Monte  Carlo  Test  for  the  Encryption  Process  -  K-bit  TCFB  mode  (if  encryption  is 
supported) 


OR 

The  Monte  Carlo  Test  for  the  Decryption  Process  -  K-bit  TCFB  mode  (if  decryption  is 
supported) 

NOTE  —  For  IUTs,  K  can  range  from  1  to  64  bits. 


An  explanation  of  the  tests  follows. 

5.4.1  The  Known  Answer  Tests  -  TCFB  Mode 

The  K-bit  TCFB  mode  has  one  set  of  Known  Answer  tests  which  is  used  regardless  of  supported 
process,  i.e.,  the  same  set  of  Known  Answer  tests  is  for  IUTs  supporting  the  encryption  and/or 
decryption  processes. 

Throughout  this  section,  TEXT  and  RESUFT  will  refer  to  different  variables  depending  on 
whether  the  encryption  or  decryption  process  is  being  tested.  If  the  IUT  performs  TCFB 
encryption,  TEXT  refers  to  plaintext,  and  RESUFT  refers  to  ciphertext.  If  the  IUT  performs 
TCFB  decryption,  TEXT  refers  to  ciphertext,  and  RESUFT  refers  to  plaintext. 

The  notation  FMK(A)  refers  to  the  leftmost  K-bits  of  A. 
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5.4.1. 1 


The  Variable  TEXT  Known  Answer  Test  -  TCFB  Mode 


Table  37  The  Variable  TEXT  Known  Answer  Test  -  TCFB  Mode 

TMOVS:  Initialize  KEYS:  KEY  1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity 

set) 

IVi  =  8000000000000000 
K-bit  TEXT  =  0 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,,  K-bit  TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

Perform 
Triple 
DES: 


Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,.  K-bit 
TEXT,  K-bit  RESULT; 

IV j+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

} 

TMOVS:  Compare  RESULT  from  each  loop  with  known  answers. 

Use  K  bits  of  output  in  Table  A.l. 


Ii  =  IV, 

I;  is  read  into  TDEA  and  is  encrypted  by  DEA;  using  KEY1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  O; 
K-bit  RESULT,  =  LMK(0,)  ©  K-bit  TEXT 


As  summarized  in  Table  37,  the  Variable  TEXT  Known  Answer  Test  for  the  TCFB  mode  of 
operation  is  performed  as  follows: 

1.  The  TMOVS: 
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a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  initialization  vector  IVi  to  the  basis  vector  containing  a"l"  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV;  bin  =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 
TEXThex=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IV;  to  the  input  block  I;. 

b.  Process  I;  through  the  three  DEA  stages,  resulting  in  a  64-bit  output  block  O  .  This 
involves  processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  output  block 
Oi. 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;  with 
the  K-bit  TEXT,  i.e.,  (RESULT1;,  RESULT2;,...,  RESULT*)  =  (O1;  ©  TEXT1,  O2, 
0  TEXT2,...,  0K;  0  TEXTk). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV;,  K-bit  TEXT,  and  the  resulting  K-bit  RESULT;  to  the 
TMOVS  as  specified  in  Output  Type  2. 

e.  Retain  the  K-bit  RESULT  values  for  use  with  the  Inverse  Permutation  Known 
Answer  Test  for  the  TCFB  Mode  (Section  5. 4. 1.2). 

f.  Assign  a  new  value  to  IVi+1  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i+l=2,...,64. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  IV,  i.e.,  64  times.  The  output  from  the 

IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.l.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 

bits  of  output  for  each  RESULT  value  in  Table  A.l  are  used. 
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5.4.1.2 


The  Inverse  Permutation  Known  Answer  Test  -  TCFB  Mode 


Table  38  The  Inverse  Permutation  Known  Answer  Test  -  TCFB  Mode 

TMOVS:  Initialize  KEYs:  KEY1  =  KEY2  =  KEY3  =  0101010101010101 

(odd  parity  set) 

K-bit  TEXT,  (where  i=1..64)=64  RESULT  values  from  the 
Variable  TEXT  Known  Answer  Test 

IVi=  8000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IVi,  K-bit 

TEXT  i,..., K-bit  TEXT64 

IUT:  FOR  i  =  1  to  64 

{ 

Ii  =  IV, 

h  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  O; 

K-bit  RESULT, =  LMK(0,)  ©  K-bit  TEXT, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV„  K-bit  TEXT,, 
K-bit  RESULT, 

IVi+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 
K-bit  TEXTi+i  =  corresponding  K-bit  RESULT  value  from  the  TMOVS 

} 

TMOVS:  Compare  RESULT  from  each  loop  with  known  answers. 

The  RESULTS  should  be  all  zeros. 

As  summarized  in  Table  38,  the  Inverse  Permutation  Known  Answer  Test  for  the  TCFB  mode  of 
operation  is  performed  as  follows: 


Perform 

Triple 

DES: 
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1. 


The  TMOVS: 


a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  initialization  vector  IVi  to  the  basis  vector  containing  a'T"  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV i  bin  =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initializes  the  K-bit  TEXT;  (where  i=  1  ..64)  to  the  RESULT;  values  obtained  from 
the  Variable  TEXT  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  5. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IV;  to  the  input  block  I;. 

b.  Process  I;  through  the  three  DEA  stages,  resulting  in  a  64-bit  output  block  O;.  This 
involves  processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  output  block 
O, 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;  with 
the  K-bit  TEXT;,  i.e.,  (RESULT1;,  RESULT2;,...,  RESULT*;)  =  (O1;  ©  TEXT1;, 

O2;  ©  TEXT2;,...,  0K;  ©  TEXTK;). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  K-bit  TEXT;,  and  the  resulting  K-bit  RESULT;  to  the 
TMOVS  as  specified  in  Output  Type  2. 

e.  Assign  a  new  value  to  IV;+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i+l=2,...,64. 

f.  Assign  a  new  value  to  TEXTi+]  by  setting  it  equal  to  the  corresponding  output 
from  the  TMOVS. 

NOTE  —  This  processing  continues  until  all  RESULT  values  from  the  Variable  TEXT  Known  Answer  Test  have  been  used  as 
input.  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in 
Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values.  The  RESULT  values  should  be  all  zeros. 
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5.4.1.3 


The  Variable  KEY  Known  Answer  Test  -  TCFB  Mode 


Table  39  The  Variable  Key  Known  Answer  Test  -  TCFB  Mode 


TMOVS:  Initialize  KEYs:  KEYli  =  KEY2i  =  KEY3i  =  8001010101010101  (odd 

parity  set) 

IV  =  0000000000000000 
K-bit  TEXT  =  0 

Send  KEY!  (representing  KEYlIs  KEY2,,  and  KEY30,  IV,  K-bit 

TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

EF(  i  mod  8^0)  {process  all  bits  except  parity  bits} 

{ 

Perform 
Triple  DES: 


Send  i,  KEY;  (representing  KEY  1 ,,  KEY2j,  and  KEY3i),  IV,  K-bit 
TEXT,  K-bit  RESULT, 

KEYlj+i  =KEY2i+]  =KEY3j+i  =  vector  consisting  of  "0"  in  every 
significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 

NOTE:  Each  parity  bit  may  have  the  value  "1"  or  "0"  to  make  the  KEY  odd  parity. 

} 

} 


Ii  =  IV 

Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
KEYli,  resulting  in  TEMPI 

TEMPI  is  decrypted  in  DEA2  using  KEY2i,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  0, 
K-bit  RESULTi=  LMK(Oi)  ©  K-bit  TEXT 


TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers. 


Use  K  bits  of  the  results  in  Table  A. 2. 


As  summarized  in  Table  39,  the  Variable  Key  Known  Answer  Test  for  the  TCFB  mode  of 
operation  is  performed  as  follows: 

1.  TheTMOVS: 

a.  Initializes  the  KEY  parameters  KEYU,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYU  bin= 
KEY2,  bin=  KEY3;  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  K-bit  TEXT  to  the  constant  hexadecimal  value  0.  It  is  represented  as 
K  binary  bits,  where  K=l,...,64,  i.e.,  TEXTbin=  01  02,...,0K.  This  is  then  translated 
into  hexadecimal. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 


a.  Assign  the  value  of  the  initialization  vector  IV  to  the  input  block  f. 

b.  Process  I;  through  the  three  DEA  stages,  resulting  in  a  64-bit  output  block  0;.  This 
involves  processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1;,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,,  resulting  in  output  block 
O, 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;  with 
the  K-bit  TEXT,  i.e.,  (RESULT1;,  RESULT2;,...,  RESULT*)  =  (O1;  ©  TEXT1,  O2; 
0  TEXT2,...,  0K;  ©  TEXTk). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  K-bit  TEXT,  and  the  resulting  K-bit  RESULT;  to  the 
TMOVS  as  specified  in  Output  Type  2. 
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e.  Set  KEYlj+i,  KEY2i+i,  and  KEY3i+i  equal  to  the  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  “1"  bit  in  position  i+1.  The  parity  bits 
contain  “1"  or  “0"  to  make  odd  parity. 


NOTE  —  This  processing  should  continue  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameters.  The 
output  from  the  IUT  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included  in  Output 
Type  2. 


3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.2.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 
bits  of  output  for  each  RESULT  in  Table  A. 2  are  used. 
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5.4.1.4  The  Permutation  Operation  Known  Answer  Test  -  TCFB  Mode 

Table  40  The  Permutation  Operation  Known  Answer  Test  -  TCFB  Mode 

TMOVS:  Initialize  KEY  1 ,  =  KEY2i  =  KEY3,  (where  i  =1  ..32)  =  32  KEY  values  in 

Table  A. 3 

IV  =  0000000000000000 
K-bit  TEXT  =  0 

Send  K-bit  TEXT,  IV,  KEYb  KEY2,...,KEY32  (Since  all  three  keys  are  the 

same,  these  KEY  values  represent  the  values  of  KEY1,  KEY2,  and 
KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 

I,  =  IV 

h  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,,  resulting 
in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,.  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  O, 

K-bit  RESULT, =  LMK(Oi)  ®  K-bit  TEXT 

Send  i,  KEY,  (representing  KEY1;,  KEY2„  and  KEY3,),  IV,  K-bit  TEXT, 
K-bit  RESULT, 

KEYli+i  =KEY2,+i  =KEY3,+i  =  corresponding  KEY,+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A. 3. 

As  summarized  in  Table  40,  the  Permutation  Operation  Known  Answer  Test  for  the  TCFB  mode 
of  operation  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  with  the  32  constant 
KEY  values  from  Table  A. 3. 


Perform 

Triple 

DES: 
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b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 
TEXThex=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  8. 

2.  The  IUT  should  perform  the  following  for  i=l  through  32: 

a.  Assign  the  value  of  the  initialization  vector  IV  to  the  input  block  I,. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  a  64-bit  output  block  (),.  This 
involves  processing  I,  through  the  first  DEA  stage,  denoted  DEA|,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2i? 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3i,  resulting  in  output  block 
O, 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;  with 
the  K-bit  TEXT,  i.e.,  (RESULT1;,  RESULT2;,...,  RESULT*,)  =  (O1;  ©  TEXT1,  O2; 
0  TEXT2,...,  0K;  ©  TEXTk). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  K-bit  TEXT,,  and  the  resulting  K-bit  RESULT,  to  the 
TMOVS  as  specified  in  Output  Type  2. 

e.  Set  KEYlj+i,  KEY2i+i,  and  KEY3;+i  equal  to  the  corresponding  KEYi+i  supplied 
by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 

should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.3.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 

bits  of  output  for  each  RESULT  value  in  Table  A. 3  are  used. 
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5.4.1.5  The  Substitution  Table  Known  Answer  Test  -  TCFB  Mode 

Table  41  The  Substitution  Table  Known  Answer  Test  -  TCFB  Mode 

TMOVS:  Initialize  KEY  1 ,  ,KEY2,  .KEY3,  (where  i=1..19)  =  19  KEY  values  in  Table 

A.4 

IV,  (where  i=l ..  19)  =  19  corresponding  TEXT  values  in  Table  A.4 
K-bit  TEXT  =  0 

Send  K-bit  TEXT,  19,  KEYb  IVi,  KEY2,  IV2„.„  KEY19,  IVi9  (Since  all 

three  keys  are  the  same,  these  key  values  represent  the  values  of 
KEY1,  KEY2  and  KEY3.) 

IUT:  FOR  i  =  1  to  19 

{ 

Perform 
Triple 
DES: 


Send  i,  KEY,  (representing  KEY1;,  KEY2„  and  KEY3;),  IV„  K-bit 
TEXT,  K-bit  RESULT, 

KEYli+i  =  KEY2i+1  =  KEY3i+1  =  KEY,+1  from  TMOVS 
IVi+i  =  corresponding  DATAi+i  from  TMOVS 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A.4. 

As  summarized  in  Table  41,  the  Substitution  Table  Known  Answer  Test  for  the  TCFB  mode  of 
operation  is  performed  as  follows: 

1.  The  TMOVS: 


I,  =  IV, 

h  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  O, 
K-bit  RESULT, =  LMK(Oi)  ©  K-bit  TEXT 
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a.  Initializes  the  KEY-IV  pairs  with  the  19  constant  KEY-DATA  values  from  Table 
A.4.  The  DATA  values  are  assigned  to  the  values  of  the  initialization  vectors  IV. 
The  KEY  value  indicates  the  values  of  KEY1,  KEY2,  and  KEY3,  i.e., 

KEY  1 =KE  Y  2=KE  Y  3 . 

b.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  where 
K=l,...,64,  i.e.,  TEXTbin=  01,  02,...,  0K. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  11. 

2.  The  IUT  should  perform  the  following  for  i=l  through  19: 

a.  Assign  the  value  of  the  initialization  vector  IV;  to  the  input  block  I,. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  a  64-bit  output  block  (),.  This 
involves  processing  I,  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,. 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3i,  resulting  in  output  block 
O, 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;, 
LMK(0,),  with  the  K-bit  TEXT,  i.e.,  (RESULT1;,  RESULT2;,...,  RESULT^)  =  (O1; 
©  TEXT1,  O2,  0  TEXT2,...,  0K,  ©  TEXTK). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV,  K-bit  TEXT,,  and  the  resulting  K-bit  RESULT,  to  the 
TMOVS  as  specified  in  Output  Type  2. 

e.  Set  KEYlj+i,  KEY2i+i,  and  KEY3j+i  equal  to  the  corresponding  KEYi+]  supplied 
by  the  TMOVS. 

f.  Set  IV ;+i  equal  to  the  corresponding  DATAi+i  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-DATA  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.4.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 
bits  of  output  for  each  RESULT  value  in  the  Table  A.4  are  used. 
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5.4.2  The  Monte  Carlo  Tests  -  TCFB  Mode 

The  Monte  Carlo  Tests  required  to  validate  an  IUT  for  the  TCFB  mode  of  operation  are 
determined  by  the  process  or  processes  allowed  by  an  IUT.  The  K-bit  TCFB  Monte  Carlo  Test 
for  the  Encryption  Process  is  successfully  completed  if  an  IUT  supports  the  encryption  process  of 
the  TCFB  mode  of  operation.  The  K-bit  TCFB  Monte  Carlo  Test  for  the  Decryption  Process  is 
successfully  completed  if  an  IUT  supports  the  decryption  process. 

5.4.2.1  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCFB  Mode 

Table  42  The  Monte  Carlo  Test  for  the  Encryption  Process  -  TCFB  Mode 

TMOVS:  Initialize  KEY  10,KEY 20,KEY 30,  IV,  K-bit  P0 

Send  KEY  10,KEY 20,KEY 30,  IV,  K-bit  P0 

IUT:  FOR  i  =  0  TO  399 

{ 

(Part  of  If  (i==0)  I0  =  IV 

Triple  DES 

processing): 

Record  i,  KEYli,KEY2„KEY31,  P0 
FOR  j  =  0  TO  9,999 
{ 

Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using 
Perform  KEY  1;,  resulting  in  TEMPI 
Triple 

DES:  TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 

TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  O,. 

Select  the  leftmost  K  bits  of  the  O,,  LMK(Oj),  discarding  the 
rest. 

K-bit  Cj  =  LMk(Oj)  ©  K-bit  Pj 
K-bit  Pj+1  =  LMK(Ij) 
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(Part  of  Triple 
DES 

processing): 

} 

Record  K-bit  Cj,  I0 

Send  i,  KEY1„  KEY2j,  KEY3;,  I0,  K-bit  P0,  K-bit  Cj 

Concatenate  enough  Cs  together  to  get  (length(KEY)*3)  bits  (192  bits) 

KEYli+i  =  KEYlj  ©  bits  129-192  of  C 

IF  (KEYlj  and  KEY2j  are  independent  and  KEY3j  =  KEYlj)  or  (KEYlj, 
KEY2j,  KEY3j  are  independent), 

KEY2i+i  =  KEY2,  ©  bits  65-128  of  C 

ELSE 

KEY2j+i  =  KEY2;  ©bits  129-192  of  C 

IF  (KEYli=KEY2j=KEY3j)  or  (KEYlj  and  KEY2j  are  independent  and 
KEY3;  =  KEYlj), 

KEY3i+i  =  KEY3j  ©bits  129-192  of  C 
ELSE 

KEY3j+i  =  KEY3j  ©bits  1-64  of  C 
K-bit  P0  =  LMK(Ij) 

I0  =  RM(64"K)(Ij)  II  K-bit  Cj 

} 

TMOVS:  Check  the  IUT's  output  for  correctness. 

As  summarized  in  Table  42,  the  Monte  Carlo  Test  for  the  TCFB  Encryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 
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a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vector 
IV,  and  the  plaintext  P  variables.  The  IV,  and  KEYs  consist  of  64  bits  each.  The  P 
is  represented  as  K-bits,  where  K=l,...,64. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  21. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 


a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  assign  the  value  of  the 
initialization  vector  IV  to  the  input  block  f. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1 ,,  KEY2i,  KEY3j, 
and  the  K-bit  P0. 


c.  Perform  the  following  for  j  =0  through  9999: 


1)  Using  the  corresponding  KEYli,KEY2i,  and  KEY3j  values,  process  Ij 

through  the  three  DEA  stages  resulting  in  output  block  0,.  This  involves 
processing  Ij  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state 
using  KEY2j,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed 
directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the  encrypt  state  using 
KEY3j,  resulting  in  output  block  Oj. 


2)  Calculate  the  K-bit  C,  by  exclusive-ORing  the  leftmost  K-bits  of  (),. 

LMk(Oj),  with  the  K-bit  PJ5  i.e.,  (C'j,  C2j,..„  CKj)  =  (O'j  ©  P*j,  02j  ©  P2j,..„ 
0Kj  ©  PKj). 


3)  Prepare  for  loop  j+1  by  doing  the  following: 


a)  Assign  the  K-bit  PJ+i  with  the  value  of  the  leftmost  K-bits  of  the  Ij, 

i.e.,  (PVi,  P2j+1,...,'PKj+i)  =  (l‘j,  I2j,-,  IKj). 

b)  Assign  Vi  with  the  value  of  the  concatenation  of  the  rightmost  (64- 
K)  bits  of  Ij  with  the  K-bit  Q,  i.e.,(l‘j+i,  I2j+i,...,I64j+i)  =  (I[K+11j, 

t[K+2]  j64  /—i  1  a~i2  ✓-'iK  \ 

1  j’***’  ^  j’  ^  j’  jv  ))' 


d.  Record  the  K-bit  C,  and  I0. 


e.  Forward  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  6,  to  the 
TMOVS. 


f.  In  preparation  for  the  next  output  loop: 

1)  Assign  new  values  to  the  KEY  parameters  KEY1,  KEY2,  and  KEY3.  This 
is  accomplished  by  exclusive-ORing  C  with  the  KEY  value  to  obtain  the 
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new  KEY.  If  the  length  of  the  C  is  less  than  64  (the  length  of  a  DES  key), 
then  C  should  be  expanded  in  length  to  64*3  (to  correspond  to  the 
combined  lengths  of  KEY1+KEY2+KEY3)  before  forming  the  new  KEY 
values.  This  expansion  should  be  accomplished  by  concatenating  X  of  the 
most  current  Cs  together  to  obtain  192  bits  of  C.  For  example,  if  the  length 
of  the  C  is  50  bits  (K=50),  the  expanded  C  =  (C99996v,C509996,  (2*9997,. .., 

/"i  50  1  <50  /— 1 1  f-i50  \ 

9997?  9998?---?*~  9998?  9999?---?<-  9999 )• 

Bits  129-192  of  the  expanded  C  will  be  exclusive-ORed  with  KEY1  to 
form  the  new  KEY1. 

The  calculation  of  the  new  KEY2  and  KEY3  are  based  on  the  values  of  the 
keys.  .  If  KEY  1 ,  and  KEY2,  are  independent  and  KEY3,  =  KEY  1 or 
KEY1,  KEY2  and  KEY3  are  independent,  the  new  KEY2  should  be 
calculated  by  exclusive-ORing  the  current  KEY2  with  bits  65-128  of  the 
expanded  C.  If  KEY  1=KEY2=KEY3,  the  current  KEY2  will  be  exclusive- 
ORed  with  bits  129-192  of  the  expanded  C  to  calculate  the  new  KEY2. 

If  KEY1,  KEY2,  and  KEY3  are  independent,  the  new  KEY3  should  be 
calculated  by  exclusive-ORing  the  current  KEY3  with  bits  1-64  of  the 
expanded  C.  Otherwise,  the  current  KEY3  will  be  exclusive-ORed  with 
bits  129-192  of  the  expanded  C  to  calculate  the  new  KEY3. 

2)  Assign  a  new  value  to  the  K-bit  P0.  The  K-bit  P0  should  be  assigned  the 
value  of  the  leftmost  K-bits  of  the  current  Ij,  i.e.,  (P*0,  P20,...,PKo)  =  (I*j, 
I2j,..„  IKj).  Note  j  =  9999. 


3)  Assign  a  new  value  to  I0.  Io  should  be  assigned  the  value  of  the  rightmost 
(64-K)  bits  of  the  current  Ij  concatenated  with  the  current  K-bit  Cj,  i.e., 
(1*0, 12o,..,  I64o)  =  (I[K+1]j,  I[K+2]j,...,  I64,  C*j,  C2 ,...,  CKj).  Note  j  =  9999. 


NOTE  —  the  new  P  and  I  should  be  denoted  as  Po  and  In  because  these  values  are  used  for  the  first 
pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  6. 


3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5A.2.2 


The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCFB  Mode 


Table  43  The  Monte  Carlo  Test  for  the  Decryption  Process  -  TCFB  Mode 


TMOVS:  Initialize  KEY10,KEY20,KEY30,  IV,  K-bit  C0 

Send  KEY  10,KEY 20,KEY 30,  IV,  K-bit  C0 

IUT:  FOR  i  =  0  TO  399 

{ 

(Part  of  Triple 
DES 

processing): 

Record  i,  KEY li,KEY2i,KEY3i,  K-bit  C0 
FOR  j  =  0  TO  9,999 
{ 


Perform 
Triple  DES: 


} 

Record  Io,  K-bit  P, 

Send  i,  KEY1„  KEY2„  KEY3„  I0,  K-bit  PJ5  K-bit  C, 

Concatenate  enough  Ps  together  to  get  (length(KEY)*3)  bits  (192  bits) 


Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,.  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  O, 

Select  the  leftmost  K  bits  of  the  O,,  LMK(Oj), discarding  the 
rest. 

K-bit  Pj  =  LMK(Oj)  ©  K-bit  C, 

Ij+i  =  RM(64"K)(Ij)  II  K-bit  Cj 
K-bit  Cj+,  =  LMk(0,) 


If  (i==0)  Io  =  IV 
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KEYli+i  =  KEYli  ©  bits  129-192  of  P 

IF  (KEYlj  and  KEY2,  are  independent  and  KEY3j  =  KEY1 ,)  or  (KEYlj, 
KEY2j,  KEY3j  are  independent), 

KEY21+i  =  KEY2,  0  bits  65-128  of  P 

ELSE 

KEY21+i  =  KEY2,  ©bits  129-192  of  P 

IF  (KEYli=KEY2i=KEY3j)  or  (KEYlj  and  KEY2,  are  independent  and 
KEY3;  =  KEY10, 

KEY3i+i  =  KEY3,  ©  bits  129-192  of  P 
ELSE 

KEY3j+i  =  KEY3,  ©bits  1-64  of  P 
I0  =  RM(64"K)(Ij)  II  K-bit  Cj 
K-bit  Co  =  LMK(Oj) 

} 

TMOVS:  Check  the  IUT's  output  for  correctness. 


As  summarized  in  Table  43,  the  Monte  Carlo  Test  for  the  TCFB  Decryption  Process  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3,  the  initialization  vector 
IV,  and  the  ciphertext  C  variables.  The  IV  and  KEYs  consist  of  64  bits  each.  The 
C  is  represented  as  K-bits,  where  K=l,...,64. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  21. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  assign  the  value  of  the 
initialization  vector  IV  to  the  input  block  I,. 

b.  Record  the  current  values  of  the  output  loop  number  i,  KEY lj,  KEY2,.  KEY3j, 
and  the  K-bit  C0. 
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c. 


Perform  the  following  for  j  =  0  through  9999: 


1)  Using  the  corresponding  KEY1 ,,  KEY2,.  and  KEY3j  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  output  block  Oj.  This  involves 
processing  Ij  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state 
using  KEY2i,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed 
directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the  encrypt  state  using 
KEY3i,  resulting  in  output  block  Oj. 


2)  Calculate  the  K-bit  Pj  by  exclusive-ORing  the  leftmost  K-bits  of  Oj, 

LMK(Oj),  with  the  K-bit  Cj,  i.e.,  (P'j,  P2j,..„  PKj)  =  (O'j  ©  C‘j,  02j  0  C2j,..„ 
0Kj  ©  CKj). 


3)  Prepare  for  loop  j+1  by  doing  the  following: 


a)  Assign  IJ+i  with  the  value  of  the  concatenation  of  the  rightmost  (64- 
K)  bits  of  Ij  with  the  K-bit  Q,  i.e.,(I1j+i,  I2j+i,...,I64j+i)  =  (I[K+11j, 

t[K+2]  t64  p  1  a-iK  \ 

1  j’***’  ^  j>  j>  j?***?'-'  j )• 

b)  Assign  the  K-bit  Cj+i  with  the  value  of  the  leftmost  K-bits  of  the  Oj, 
i.e„  (C‘J+i,  C2j+1,...,  CKj+i)  =  (0‘j,  O2,...,  0Kj). 


d.  Record  the  K-bit  P,  and  I0. 


e.  Forward  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  6,  to  the 
TMOVS. 


f.  In  preparation  for  the  next  output  loop: 

1)  Assign  new  values  to  the  KEY  parameters  KEY1,  KEY2,  and  KEY3.  This 
is  accomplished  by  exclusive-ORing  P  with  the  KEY  value  to  obtain  the 
new  KEY.  If  the  length  of  the  P  is  less  than  64  (the  length  of  a  DES  key), 
then  P  should  be  expanded  in  length  to  64*3  (to  correspond  to  the 
combined  lengths  of  KEY1+KEY2+KEY3)  before  forming  the  new  KEY 
values.  This  expansion  should  be  accomplished  by  concatenating  X  of  the 
most  current  Ps  together  to  obtain  192  bits  of  P.  For  example,  if  the  length 
of  the  P  is  50  bits  (K=  50),  the  expanded  P  =  (P99996,...,P509996,  Pl9991,..., 

p50  pi  p50  pi  p50  \ 

“  9997,  r  9998,. ..,r  9998,  r  9999,. „,r  9999;. 

Bits  129-192  of  the  expanded  P  will  be  exclusive-ORed  with  KEY1  to 
form  the  new  KEY1. 


The  calculation  of  the  new  KEY2  and  KEY3  are  based  on  the  values  of  the 
keys.  .  If  KEYlj  and  KEY2;  are  independent  and  KEY3j  =  KEYlj,  or 
KEY1,  KEY2  and  KEY3  are  independent,  the  new  KEY2  should  be 
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calculated  by  exclusive-ORing  the  current  KEY2  with  bits  65-128  of  the 
expanded  P.  If  KEY1=KEY2=KEY3,  the  current  KEY2  will  be  exclusive- 
ORed  with  bits  129-192  of  the  expanded  P  to  calculate  the  new  KEY2. 


If  KEY1,  KEY2,  and  KEY3  are  independent,  the  new  KEY3  should  be 
calculated  by  exclusive-ORing  the  current  KEY3  with  bits  1-64  of  the 
expanded  P.  Otherwise,  the  current  KEY3  will  be  exclusive- ORed  with 
bits  129-192  of  the  expanded  P  to  calculate  the  new  KEY3. 


2) 


Assign  a  new  value  to  I0. 10  should  be  assigned  the  value  of  the  rightmost 


(64-K)  bits  of  the  current  Ij  concatenated  with  the  current  K-bit  Cj,  i.e., 
(IV  I2o,..,I64o)  =  (I[K+11j,  I[K+2]j,~.,  I64,  C'j,  C2j,...,  CKj).  Note  j  =  9999. 


3)  Assign  a  new  value  to  the  K-bit  C0.  The  K-bit  C0  should  be  assigned  the 

value  of  the  leftmost  K-bits  of  the  current  Oj,  i.e.,  (CV  C20,...,  CK0)  =  (O^, 
02j,..„  0Kj).  Note  j  =  9999. 


NOTE  —  the  new  C  and  I  should  be  denoted  as  Co  and  Io  because  these  values  are  used  for  the  first 
pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  6. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5.5  The  Cipher  Feedback  (CFB-P)  Mode 


The  IUTs  that  implement  the  Cipher  Block  Feedback  -  Pipelined  (CFB-P)  mode  of  operation  are 
validated  by  successfully  completing  (1)  a  set  of  Known  Answer  tests  applicable  to  both  IUTs 
supporting  encryption  and/or  decryption  and  (2)  a  Monte  Carlo  test  designed  for  use  with  both 
the  encryption  process  and  the  decryption  process. 

The  pipelined  configuration  is  intended  for  systems  equipped  with  multiple  DEA  processors.  By 
pipelining  the  data,  throughput  is  improved  and  propagation  delay  is  minimized  by  initializing  the 
three  individual  DEA  stages  and  then  simultaneously  clocking  them.  Thus,  with  each  clock  cycle, 
data  is  processed  by  each  DEA,  stage  and  passed  onward  to  the  output  buffer  or  the  next  stage  so 
that  idle  DEA;  stages  are  minimized. 

The  processing  for  each  Known  Answer  test  and  Monte  Carlo  test  is  broken  down  into  clock 
cycles  Tl,  T2,  T3,....  Within  each  clock  cycle,  the  processing  occurring  on  each  active  DEA  is 
discussed.  For  convenience,  let  KEY1  represent  the  key  used  on  processor  DEAi,  KEY2 
represent  the  key  used  on  processor  DEA2,  and  KEY3  represent  the  key  used  on  processor 
DEA3. 


The  process  of  validating  an  IUT  which  only  supports  the  K-bit  TCFB-P  mode  in  either  the 
encryption  and/or  decryption  processes  involves  the  successful  completion  of  the  following  six 
tests: 

1 .  The  Variable  Text  Known  Answer  Test  -  K-bit  TCFB-P  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  K-bit  TCFB-P  mode 

3.  The  Variable  Key  Known  Answer  Test  -  K-bit  TCFB-P  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  K-bit  TCFB-P  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  K-bit  TCFB-P  mode 

6.  The  Monte  Carlo  Test  -  K-bit  TCFB-P  mode 

NOTE  —  for  IUTs,  K  can  range  from  1  to  64  bits. 

The  notation  FMK(A)  refers  to  the  leftmost  K  bits  of  A. 

An  explanation  of  the  tests  follows. 

5.5.1  The  Known  Answer  Tests  -  TCFB-P  Mode 

The  K-bit  TCFB-P  mode  has  only  one  set  of  Known  Answer  tests  which  are  used  regardless  of 
process,  i.e.,  the  same  set  of  Known  Answer  tests  are  used  for  IUTs  supporting  the  encryption 
and/or  decryption  processes. 
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Throughout  this  section,  TEXT  and  RESULT  will  refer  to  different  variables  depending  on 
whether  the  encryption  or  decryption  process  is  being  tested.  If  the  IUT  performs  TCFB-P 
encryption,  TEXT  refers  to  plaintext,  and  RESULT  refers  to  ciphertext.  If  the  IUT  performs 
TCFB-P  decryption,  TEXT  refers  to  ciphertext,  and  RESULT  refers  to  plaintext. 

5.5. 1.1  The  Variable  TEXT  Known  Answer  Test  -  TCFB-P  Mode 

Table  44  The  Variable  TEXT  Known  Answer  Test  -  TCFB-P  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV1 I  =  8000000000000000 

IV2i  =  D555555555555555  (based  on  specifications  in  ANSI 
X9. 52-1998) 

IV3i  =  2AAAAAAAAAAAAAAA  (based  on  specifications  in 
ANSI  X9. 52-1998) 

K-bit  TEXT  =  0 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV1 ,,  IV2,,  IV3i, 

K-bit  TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

With  the  feedback  path  disconnected: 

Tl:  II  =  IVlj 

Perform 

Triple  DES:  II  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 

resulting  in  TEMP  1 1 

T2:  12  =  IV2, 

I2is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP2i 

TEMPI  i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPI  2 

T3:  13  =  IV3; 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 
resulting  in  TEMP3i 
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TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

Connect  the  feedback  path: 

TEMP12  is  encrypted  by  DEA3  using  KEY3,  resulting  in  01; 

K-bit  RESULT  lj  =  LMK(01i)  ©  K-bit  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  02; 

K-bit  RESULT2;  =  LMK(O20  0  K-bit  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  03; 

K-bit  RESULT3;  =  LMK(03,)  ©  K-bit  TEXT 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  II,  12, 13,  K-bit 
TEXT,  K-bit  RESULT1;,  K-bit  RESULT2,,  K-bit  RESULT3, 

IVli+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

IV2i+1  =  IV1,  +R;  mod  264  where  Ri=5555555555555555 

IV3i+i  =  IV 1;  +R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Compare  RESULT  1,  RESULT2,  and  RESULT3  from  each  loop  with  known 

answers. 

Use  K  bits  of  output  in  Table  A. 9. 

As  summarized  in  Table  44,  the  Variable  TEXT  Known  Answer  Test  for  the  TCFB-P  mode  of 
operation  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 

hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
01  01  01  01  01  01. 
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b.  Initializes  the  3  initialization  vectors  accordingly:  IVli  is  set  to  the  basis  vector 
containing  a"l"  in  the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e., 

IV 1  bin  =  10000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00 
00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998,  IV2i  is  computed  by  the 
following  equation:  IVli  +  Ri  mod  264  where  Ri=5555555555555555  .  In 
hexadecimal,  this  equates  to  D5  55  55  55  55  55  55  55.  And  IV3i  is  computed  by 
the  equation  IV 1 1  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA  .  In 
hexadecimal,  this  equates  to  2A  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 
TEXThex=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1;  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMPI i. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2;  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3,  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP3i. 


c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP22. 
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Connect  the  feedback  path: 

d)  TEMPI 2  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3,  resulting  in  output  block  Olj. 

e)  Calculate  the  K-bit  RESULTl ,  by  exclusive-ORing  the  leftmost  K- 
bits  of  Olj  with  the  K-bit  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  02;. 

b)  Calculate  the  K-bit  RESULT2,  by  exclusive-ORing  the  leftmost  K- 
bits  of  02,  with  the  K-bit  TEXT. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  03;. 

b)  Calculate  the  K-bit  RESULT3;  by  exclusive-ORing  the  leftmost  K- 
bits  of  03;  with  the  K-bit  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV1;,  IV2;,  IV3,.  K-bit  TEXT,  K-bit  RESULTl;,  K-bit 
RESULT2;,  and  K-bit  RESULT3;,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Retain  the  K-bit  RESULTl,  RESULT2,  and  RESULT3  values  for  use  with  the 
Inverse  Permutation  Known  Answer  Test  for  the  TCFB-P  Mode  (Section  5. 5. 1.2). 

d.  Assign  a  new  value  to  the  IV  variables.  IVl;+i  is  set  to  the  value  of  a  basis  vector 
with  a  "1"  bit  in  position  i+1,  where  i+l=2,...,64.  IV2i+i  is  set  to  the  value  of  IVl;+] 
+  R;  mod  264  where  R;=5555555555555555.  And  IV3i+i  is  set  to  IVli+i  +  R2  mod 
264  where  R2=AAAAAAAAAAAAAAAA. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  IV1,  i.e.,  64  times.  The  output  from  the 
IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.9.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 
bits  of  output  for  each  RESULT  value  in  the  Table  A. 9  are  used. 


192 


5.5. 1.2  The  Inverse  Permutation  Known  Answer  Test  -  TCFB-P  Mode 

Table  45  The  Inverse  Permutation  Known  Answer  Test  -  TCFB-P  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 1  — ■  8000000000000000 
IV2i  =  D555555555555555 
IV3i  =  2AAAAAAAAAAAAAAA 

K-bit  TEXTr;  (where  r=1..3  and  i=l ..64)  =  64  corresponding 
RESULTr,  values  from  Variable  TEXT  Known  Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IVli,  IV2,,  IV3,,  K- 

bit  TEXTli,...,  K-bit  TEXT164,  K-bit  TEXT2i,..„  K-bit  TEXT264, 
K-bit  TEXT3i,..„  K-bit  TEXT364 

IUT:  FOR  i  =  1  to  64 

{ 

With  the  feedback  path  disconnected: 

Tl:  II  =  IVli 

Perform 

Triple  DES:  II  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 

resulting  in  TEMPli 

T2:  12  =  IV2i 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  13  =  IV3j 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

Connect  the  feedback  path: 
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TEMPI 2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  01; 

K-bit  RESULT  1;  =  LMK(01;)  ©  K-bit  TEXT1, 

T4:  TEMP3]  is  decrypted  by  DEA2  using  KEY2,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  02; 

K-bit  RESULT2;  =  LMK(02;)  ©  K-bit  TEXT2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  03; 

K-bit  RESULT3;  =  LMK(03;)  ©  K-bit  TEXT3, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  II,  12, 13,  K-bit 
TEXT1;, ,  K-bit  TEXT2;,  K-bit  TEXT3,,  K-bit  RESULT  1„  K-bit 
RESULT2;,  K-bit  RESULT3, 

IVl;+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

IV2i+1  =  IV 1;  +  R;  mod  264  where  R;=5555555555555555 

IV3i+i  =  IV 1;  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

K-bit  TEXTri+i  (where  r  =  1..3)=  corresponding  K-bit  RESULTri+i  value 
from  the  TMOVS 

} 

TMOVS:  Compare  RESULT  1,  RESULT2,  and  RESULT3  from  each  loop  with  known 

answers, 

They  should  be  all  zeros. 

As  summarized  in  Table  45  the  Inverse  Permutation  Known  Answer  Test  for  the  TCFB-P  mode 
of  operation  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant  hexadecimal 
value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01  01  01  01  01  01 
01. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV 1 1  is  set  to  the  basis  vector 
containing  a'T"  in  the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IVib;„ 
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=  10000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00 
00  00.  Based  on  specifications  in  ANSI  X9.52-1998,  IV2i  is  computed  by  the 
following  equation:  IVli  +  Ri  mod  264  where  Ri=5555555555555555  .  In 
hexadecimal,  this  equates  to  D5  55  55  55  55  55  55  55.  And  IV3i  is  computed  by  the 
equation  IV 1 1  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA  .  In  hexadecimal, 
this  equates  to  2A  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  K-bit  TEXTr;  (where  r=l,. . .,3  and  i=l,. . .,64)  to  the  RESULTr, 
obtained  from  the  Variable  TEXT  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  15. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1;  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMPI i. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2,  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3,  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP3i. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 
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d)  TEMPI 2  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3,  resulting  in  output  block  Olj. 

e)  Calculate  the  K-bit  RESULTS  by  exclusive-ORing  the  leftmost  K- 
bits  of  Olj  with  the  K-bit  TEXT1;. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  02i. 

b)  Calculate  the  K-bit  RESULT2i  by  exclusive-ORing  the  leftmost  K- 
bits  of  02j  with  the  K-bit  TEXT2,. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  03;. 

b)  Calculate  the  K-bit  RESULT3j  by  exclusive-ORing  the  leftmost  K- 
bits  of  03j  with  the  K-bit  TEXT3j. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV1„  IV2„  IV3i,  K-bit  TEXT1;,  K-bit  TEXT2„  K-bit  TEXT3;, 
K-bit  RESULT  k,  K-bit  RESULT2,,  and  K-bit  RESULT3;,  to  the  TMOVS  as 
specified  in  Output  Type  3. 

c.  Assign  a  new  value  to  the  IV  variables.  IVlj+i  is  set  to  the  value  of  a  basis  vector 
with  a  "1"  bit  in  position  i+1,  where  i+l=2,...,64.  IV2i+i  is  set  to  the  value  of 
IVli+i  +  Ri  mod  264  where  Ri=5555555555555555.  And  IV3i+i  is  set  to  IVli+i  + 

R2  mod  264  where  R2=AAAAAAAAAAAAAAAA. 

d.  Assign  a  new  value  to  the  K-bit  TEXTli+i,  K-bit  TEXT2i+i,  and  K-bit  TEXT3j+i 
by  setting  it  equal  to  the  corresponding  output  from  the  TMOVS. 

NOTE  —  This  continues  until  every  RESULT1,  RESULT2,  and  RESULT3  value  from  the  Variable  TEXT  Known  Answer  Test 
has  been  used  as  input.  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  RESULT  1,  RESULT2,  and  RESULT3  values  should  be  all  zeros. 
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5.5. 1.3 


The  Variable  KEY  Known  Answer  Test  -  TCFB-P  Mode 


TMOVS 


IUT: 


Table  46  The  Variable  KEY  Known  Answer  Test  -  TCFB-P  Mode 

Initialize  KEY1 ,  =  KEY2,  =  KEY3,  =  8001010101010101  (odd  parity  set) 

IV 1  =  0000000000000000 
IV2  =  5555555555555555 
IV3  =  AAAAAAAAAAAAAAAA 
K-bit  TEXT  =  0 

Send  KEY!  (representing  KEY1,,  KEY2,,  and  KEY3i),  IV1,  IV2,  IV3, 

K-bit  TEXT 


FOR  i  =  1  to  64 

IF  (i  mod  8^0) {process  all  bits  except  parity  bits} 

{ 


Perform 

Triple 

DES: 


With  the  feedback  path  disconnected: 

Tl:  I1  =  IV1 

11  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMPli 

T2:  12  =  IV2 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMPO 

T3:  13  =  IV3 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP22 

Connect  the  feedback  path: 
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TEMP12  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  01; 

K-bit  RESULT  1;  =  LMK(01i)  ©  K-bit  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2;,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  02; 

K-bit  RESULT2,  =  LMK(02,)  0  K-bit  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  03; 

K-bit  RESULT3;  =  LMK(03,)  ©  K-bit  TEXT 

Send  i,  KEY,  (representing  KEY1„  KEY2;,  and  KEY3;),  II,  12, 13,  K-bit 
TEXT,  K-bit  RESULT1,,  K-bit  RESULT2,,  K-bit  RESULT3, 

KEYli+i  =  KEY2  i+i  =  KEY3  i+i=  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  “1"  bit  in  position  i+1.  Each 
parity  bit  may  have  the  value  “1"  or  “0"  to  make  the  KEY  odd  parity. 

} 

TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers. 

Use  K  bits  of  the  results  in  Table  A.ll. 


As  summarized  in  Table  46,  the  Variable  KEY  Known  Answer  Test  for  the  TCFB-P  Mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY  1 1,  KEY2,,  and  KEY3;  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEY1;  bin= 
KEY2,  bin=  KEY3;  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV1  is  assigned  the  value  0,  i.e., 
IV1  hex  =  00  00  00  00  00  00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998, 
IV2  is  computed  by  the  following  equation:  IV 1  +  R;  mod  264  where 
Ri=5555555555555555.  In  hexadecimal,  this  equates  to  55  55  55  55  55  55  55  55. 
And  IV3  is  computed  by  the  equation  IV 1  +  R?  mod  264  where 
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R2=AAAAAAAAAAAAAAAA.  In  hexadecimal,  this  equates  to  AA  AA  AA  AA 
AA  AA  AA  AA. 

c.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 
TEXThex  =  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMPI]. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEA]  in  the  encrypt  state  using 
KEYl;,  resulting  in  intermediate  value  TEMP2]. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEA]  in  the  encrypt  state  using 
KEYl;,  resulting  in  intermediate  value  TEMP3]. 

c)  TEMP2]  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3],  resulting  in  output  block  Olj. 
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e)  Calculate  the  K-bit  RESULT  1;  by  exclusive-ORing  the  leftmost  K- 
bits  of  Olj  with  the  K-bit  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3j,  resulting  in  output  block  02,. 

b)  Calculate  the  K-bit  RESULT2,  by  exclusive-ORing  the  leftmost  K- 
bits  of  02j  with  the  K-bit  TEXT. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2j,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3j,  resulting  in  output  block  03j. 

b)  Calculate  the  K-bit  RESULT3j  by  exclusive-ORing  the  leftmost  K- 
bits  of  03j  with  the  K-bit  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing  KEY1 ,, 
KEY2„  and  KEY3;),  IV1,  IV2,  IV3,  K-bit  TEXT,  K-bit  RESULT li;  K-bit 
RESULT2,,  and  K-bit  RESULT3j,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEY1  i+1,  KEY2i+],  and  KEY3i+i  equal  to  the  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  “1"  bit  in  position  i+1.  The  parity  bits 
contain  “1"  or  “0"  to  make  odd  parity. 

NOTE  —  This  processing  should  continue  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameters.  The 
output  from  the  IUT  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included  in  Output 
Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.  11.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 
bits  of  output  for  each  RESULT  value  in  the  Table  A.  11  are  used. 
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5.5. 1.4 


The  Permutation  Operation  Known  Answer  Test  -  TCFB-P  Mode 


Table  47  The  Permutation  Operation  Known  Answer  Test  -  TCFB-P  Mode 

TMOVS:  Initialize  KEY1,  =  KEY2,  =  KEY3,  (where  i=1..32)  =  32  KEY  values  in 

Table  A.  12 

IV1=  0000000000000000 
IV2  =5555555555555555 
IV3  =AAAAAAAAAAAAAAAA 
K-bit  TEXT  =  0 

Send  IV1,  IV2,  IV3,  K-bit  TEXT,  KEY!,  KEY2,...,KEY32  (Since  all 

three  keys  are  the  same,  these  key  values  represent  the  values  of 
KEY1,  KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 


Perform 

Triple 

DES: 


12  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY  li? 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA  using  KEY2,,  resulting  in 
TEMPO 

T3:  13  =  IV3 

13  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY  li? 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA  using  KEY2j,  resulting  in 
TEMP22 

Connect  the  feedback  path: 


With  the  feedback  path  disconnected: 

Tl:  I1  =  IV1 

II  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY li? 
resulting  in  TEMPO 

T2:  12  =  IV2 
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TEMPI 2  is  encrypted  by  DEA  using  KEY3,,  resulting  in  01; 

K-bit  RESULTS  =  LMK(01i)  ©  K-bit  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2;,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  02; 

K-bit  RESULT2,  =  LMK(02,)  0  K-bit  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  03; 

K-bit  RESULT3;  =  LMK(03,)  0  K-bit  TEXT 

Send  i,  KEY,  (representing  KEY1„  KEY2;,  and  KEY3;),  II,  12, 13,  K-bit 
TEXT,  K-bit  RESULT  1„  K-bit  RESULT2,,  K-bit  RESULT3, 

KEYli+i  =  KEY2i+]  =  KEY3i+i=  corresponding  KEYi+1  from  TMOVS. 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Use  K  bits  of  output  in  Table  A.  12. 


As  summarized  in  Table  47,  the  Permutation  Operation  Known  Answer  Test  for  the  TCFB-P 
mode  of  operation  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  with  the  32  constant 
KEY  values  from  Table  A.  12. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV1  is  assigned  the  value  0,  i.e., 
IV  hex  =  00  00  00  00  00  00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998, 
IV2  is  computed  by  the  following  equation:  IV 1  +  R;  mod  264  where 
Ri=5555555555555555.  In  hexadecimal,  this  equates  to  55  55  55  55  55  55  55  55. 
And  IV3  is  computed  by  the  equation  IV 1  +  R2  mod  264  where 

R2 = A  A  A  A  A  A  A  A  A  A  A  A  A  A  A  A .  In  hexadecimal,  this  equates  to  AA  AA  AA  AA 
AA  AA  AA  AA. 

c.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 

TEXThex  =  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  18. 

2.  The  IUT  should  perform  the  following  for  i=l  through  32: 
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a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMPI  i. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYlj,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMP3i. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA?  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP2?. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3;,  resulting  in  output  block  Olj. 

e)  Calculate  the  K-bit  RESULT  1;  by  exclusive-ORing  the  leftmost  K- 
bits  of  Olj  with  the  K-bit  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,,  resulting  in  output  block  02,. 

b)  Calculate  the  K-bit  RESULT2;  by  exclusive-ORing  the  leftmost  K- 
bits  of  02;  with  the  K-bit  TEXT. 
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c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 

state  using  KEY2,.  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,.  resulting  in  output  block  03j. 

b)  Calculate  the  K-bit  RESULT3i  by  exclusive-ORing  the  leftmost  K- 
bits  of  03j  with  the  K-bit  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY,  (representing  KEY  1 ,, 
KEY2j,  and  KEY3;),  IV1,  IV2,  IV3,  K-bit  TEXT,  K-bit  RESULT  1;,  K-bit 
RESULT2i,  and  K-bit  RESULT3i,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEYlj+i,  KEY2i+i,  and  KEY3j+i  equal  to  the  corresponding  KEYi+]  supplied 
by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  Table  A.  12.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K  bits 
of  output  for  each  RESULT  value  in  Table  A.  12  are  used. 
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5.5. 1.5  The  Substitution  Table  Known  Answer  Test  -  TCFB-P  Mode 

Table  48  The  Substitution  Table  Known  Answer  Test  -  TCFB-P  Mode 

TMOVS:  Initialize  KEYI,  =  KEY2,  =  KEY3,  (where  i=1..19)  =  19  KEY  values  in 

Table  A.  10 

IV 1;  (where  i=1..19)  =  19  corresponding  TEXT  values  in  Table 
A.  10 

IV2i  =  IV1;  +  Rj  mod  264  where  Ri=5555555555555555 
IV3i  =  IVli  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 
K-bit  TEXT  =  0 

Send  IVli,  IV2„  IV3„  K-bit  TEXT,  KEYi,  KEY2,...,KEYi9  (These  key 

values  represent  the  values  of  KEYI,  KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  19 


Perform 

Triple 

DES: 


12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMPI  2 

T3:  13  =  IV3j 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP22 

Connect  the  feedback  path: 


With  the  feedback  path  disconnected: 

Tl:  11  =  IV1; 

II  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYI;, 
resulting  in  TEMPli 

T2:  12  =  IV2, 
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TEMPI 2  is  encrypted  by  DEA3  using  KEY3,,  resulting  in  01j 

K-bit  RESULT  1;  =  LMK(01i)  ®  K-bit  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  02; 

K-bit  RESULT2,  =  LMK(02,)  ©  K-bit  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  03i 

K-bit  RESULT3i  =  LMK(03i)  ©  K-bit  TEXT 

Send  i,  KEY,  (representing  KEY1„  KEY2„  and  KEY3,),  IV1„  IV2„  IV3„ 
K-bit  TEXT,  K-bit  RESULTS,  K-bit  RESULT2,,  K-bit  RESULT3, 

KEYlj+i  =  KEY21+1  =  KEY31+i=  Corresponding  KEY1+i  from  TMOVS 

IVli+i=  corresponding  DATAi+]  from  TMOVS 

IV2i+1  =  IVli+1  +  Rj  mod  264  where  Ri=5555555555555555 

IV3i+i  =  IVli+i  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

Use  K  bits  of  output  in  Table  A.  10. 

As  summarized  in  Table  48,  the  Substitution  Table  Known  Answer  Test  for  the  TCFB-P  Mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY-IV1  pairs  with  the  19  constant  KEY-DATA  values  from  Table 
A.  10.  The  DATA  values  are  assigned  to  the  values  of  the  initialization  vectors 
IVlj.  The  KEY  value  indicates  the  values  of  KEY  1 ,,  KEY2j,  and  KEY3,,  i.e., 
KEYli=KEY2i=KEY3j.  Based  on  specifications  in  ANSI  X9. 52-1998,  IV2jis  set 
to  IVlj  +  Ri  mod  264  where  Ri=5555555555555555  and  IV3jis  set  to  IVlj  +  R2 
mod  264  where  R2=AAAAAAAAAAAAAAAA. 

b.  Initializes  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e., 
TEXThex  =  00  00  00  00  00  00  00  00. 
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c. 


Forwards  this  information  to  the  IUT  using  Input  Type  25. 


2.  The  IUT  should  perform  the  following  for  i=l  through  19: 
a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1;  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY  1 ,,  resulting  in  intermediate  value  TEMPI  i. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2i  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3;  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMP3]. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3;,  resulting  in  output  block  01;. 

e)  Calculate  the  K-bit  RESULT  1;  by  exclusive-ORing  the  leftmost  K- 
bits  of  01;  with  the  K-bit  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3;,  resulting  in  output  block  02;. 

207 


b)  Calculate  the  K-bit  RESULT2i  by  exclusive-ORing  the  leftmost  K- 
bits  of  02;  with  the  K-bit  TEXT. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2j,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3i,  resulting  in  output  block  03j. 

b)  Calculate  the  K-bit  RESULT3i  by  exclusive-ORing  the  leftmost  K- 
bits  of  03j  with  the  K-bit  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY,  (representing  KEY  1 ,, 
KEY2j,  and  KEY3;),  IV 1;,  IV2i,  IV3;,  K-bit  TEXT,  K-bit  RESULT  1;,  K-bit 
RESULT2i,  and  K-bit  RESULT3i,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEYli+i,  KEY2i+i,  and  KEY3i+i  equal  to  the  corresponding  KEYi+]  supplied 
by  the  TMOVS. 

d.  Set  IVlj+i  equal  to  the  corresponding  DATAi+i  supplied  by  the  TMOVS.  Based  on 
specifications  in  ANSI  X9. 52-1998,  IV2i+i  is  set  to  IVli+]  +  Ri  mod  264  where 
Ri=5555555555555555  and  IV3i+i  is  set  to  IVli+i  +  R2  mod  264  where 

r2=aaaaaaaaaaaaaaaa. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-DATA  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.  10.  For  IUTs  where  K  is  less  than  64,  the  leftmost  K 
bits  of  output  for  each  RESULT  value  in  the  Table  A.  10  are  used. 
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5.5.2  The  Monte  Carlo  Tests  -  TCFB-P  Mode 


The  Monte  Carlo  tests  required  to  validate  an  IUT  for  the  K-bit  TCFB-P  mode  of  operation  are 
determined  by  the  process  or  processes  allowed  by  an  IUT.  The  K-bit  TCFB-P  Monte  Carlo  Test 
for  the  Encryption  Process  is  successfully  completed  if  an  IUT  supports  the  encryption  process  of 
the  TCFB-P  mode  of  operation.  The  K-bit  TCFB-P  Monte  Carlo  Test  for  the  Decryption  Process 
is  successfully  completed  if  an  IUT  supports  the  decryption  process. 

5.5.2.1  The  Monte  Carlo  Test  for  the  Encryption  Process  -  K-bit  TCFB-P 

Mode 

Table  49  The  Monte  Carlo  Test  for  the  Encryption  Process  -  K-bit  TCFB-P  Mode 

TMOVS:  Initialize  KEY l0,KEY20,KEY3o,  IV1,  IV2,  IV3,  K-bit  P0 

Send  KEYlo,KEY20,KEY3o,  IV1,  IV2,  IV3,  K-bit  P0 

IUT:  FOR  i  =  0  TO  399 

{ 

FOR  j  =  0  TO  9,999 

{ 

IF  (j  ==  0,  1,  or  2) 

Ij  =  IV(]+l) 

ELSE 

Ij  =  RM(64  K)  (I(j-1))  II  K-bit  Cj_3 

Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  I ,, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  O, 

K-bit  Cj  =  LMk  (Oj)  ©  K-bit  Pj 
K-bit  Pj+i  =  LMk  (Ij) 

} 

Record  10,  C, 


Perform 
Triple  DES: 
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Send  i,  KEY1;,  KEY2„  KEY3„  10,  II,  12,  K-bit  P0 ,  K-bit  Cj 
Concatenate  enough  C  together  to  get  (length(KEY)*3)  bits  (192  bits) 
KEYli+i  =  KEYb  ©  bits  129-192  of  C 

IF  (KEYlj  and  KEY2,  are  independent  and  KEY3i  =  KEY  1 ,)  or  (KEYlj, 
KEY2j,  KEY3j  are  independent), 

KEY21+i  =  KEY2,  0  bits  65-128  of  C 

ELSE 

KEY2i+1  =  KEY2,  ©bits  129-192  of  C 

IF  (KEYli=KEY2i=KEY3i)  or  (KEYlj  and  KEY2,  are  independent  and 
KEY3;  =  KEY10, 

KEY3i+i  =  KEY3,  ©bits  129-192  of  C 
ELSE 

KEY3i+i  =  KEY3,  ©  bits  1-64  of  C 
K-bit  P0=  LMK(Ij) 

10  =  RM(64  K)(Ij)  li  K-bit  Cj 

11  =10  +  Rj  mod  264  where  R1=5555555555555555 

12  =10  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Check  the  IUT's  output  for  correctness. 

As  summarized  in  Table  49,  the  Monte  Carlo  Test  for  the  TCFB-P  Encryption  Process  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY10,  KEY20,  and  KEY3o,  the  initialization 

vectors  IV 1,  IV2,  and  IV3,  and  the  K-bit  plaintext  P0.  The  IVs,  and  KEYs  consist 
of  64  bits  each.  The  P  is  represented  as  K-bits,  where  K=l,...,64.  IV2  is  assigned 
the  value  of  IV1+R,  mod  264  where  Ri  =  5555555555555555.  IV3  is  assigned  the 
value  of  IVl+R?  mod  264  where  R2  =  AAAAAAAAAAAAAAAA. 
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b.  Forwards  this  information  to  the  IUT  using  Input  Type  24. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1 KEY2,.  KEY3i, 
IV1,  IV2,  IV3,  and  P0. 

b.  Perform  the  following  for  j  =  0  through  9,999: 

1)  If  j  =  0,  1,  or  2,  assign  the  value  of  the  initialization  vector  IVj+i  to  the  input 
block  Ij. 

2)  If  j  >  2,  assign  Ij  with  the  value  of  the  concatenation  of  the  rightmost  (64- 

K)  bits  of  I(j- 1)  with  the  K-bit  Cj_3. 

3)  Process  Ij  through  the  DEA  stage  DEAi  in  the  encrypt  state  using  KEY1 ,, 

resulting  in  intermediate  value  TEMPI. 

4)  TEMPI  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using  KEY2,, 

resulting  in  intermediate  value  TEMP2. 

5)  TEMP2  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using  KEY3,, 

resulting  in  output  block  Oj. 

6)  Calculate  the  K-bit  C,  by  exclusive-ORing  the  leftmost  K-bits  of  O,  with 

the  K-bit  P,. 

7)  Prepare  for  loop  j+1  by  assigning  the  K-bit  P.i+i  with  the  value  of  the 

leftmost  K-bits  of  the  Ij. 

c.  Record  the  current  values  of  the  input  block  10  and  C,. 

d.  Forward  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  8,  to  the 
TMOVS. 

e.  In  preparation  for  the  next  output  loop: 

1)  Concatenate  enough  C  values  together  to  obtain  (length  (KEY)*3)  bits  of 
data  (192  bits). 

2)  Assign  new  values  to  the  KEY  parameters  KEY1,  KEY2,  and  KEY3.  This 
is  accomplished  by  exclusive-ORing  C  with  the  KEY  value  to  obtain  the 
new  KEY.  If  the  length  of  the  C  is  less  than  64  (the  length  of  a  DES  key), 
the  C  should  be  expanded  in  length  to  64*3  (to  correspond  to  the 
combined  lengths  of  KEY1+KEY2+KEY3)  before  forming  the  new  KEY 
values.  This  expansion  should  be  accomplished  by  concatenating  X  of  the 
most  current  Cs  together  to  obtain  192  bits  of  C.  For  example,  if  the  length 


211 


of  the  C  is  50  bits  (X=50),  the  expanded  C  =  (C99996, 

1  /■-'1 50  r- il  /^t50  \ 

?  9998 v?  9998?  9999?---?  9999J- 


c 


50 


9996 


,  c1 


9997 


^50 
W  9997 


Bits  129-192  of  the  expanded  C  will  be  exclusive-ORed  with  KEY1  to 
form  the  new  KEY1. 


The  calculation  of  the  new  KEY2  and  KEY3  are  based  on  the  values  of  the 
keys.  .  If  KEYlj  and  KEY2;  are  independent  and  KEY3j  =  KEYlj,  or 
KEY1,  KEY2  and  KEY3  are  independent,  the  new  KEY2  should  be 
calculated  by  exclusive-ORing  the  current  KEY2  with  bits  65-128  of  the 
expanded  C.  If  KEY1=KEY2=KEY3,  the  current  KEY2  will  be  exclusive- 
ORed  with  bits  129-192  of  the  expanded  C  to  calculate  the  new  KEY2. 

If  KEY1,  KEY2,  and  KEY3  are  independent,  the  new  KEY3  should  be 
calculated  by  exclusive-ORing  the  current  KEY3  with  bits  1-64  of  the 
expanded  C.  Otherwise,  the  current  KEY3  will  be  exclusive-ORed  with 
bits  129-192  of  the  expanded  C  to  calculate  the  new  KEY3. 


3)  Assign  a  new  value  to  the  K-bit  P0.  The  K-bit  P0  should  be  assigned  the 
value  of  the  leftmost  K-bits  of  the  current  Ij,  where  j  =  9999,  i.e.,  (P*0, 
P2o,...,PKo)  =  (I1j,I2jv..,  IKj)- 


4) 


Assign  a  new  value  to  the  I  parameters.  Io  should  be  assigned  the  value  of 
the  concatenation  of  the  rightmost  (64-K)  bits  of  I,  with  the  K-bit  Cj,  i.e. 
(IV  I2o,-..,  I64o)  =  (I[K+11j,  I[K+2]j,...,I64j,  0‘j,  C2j,...,CKj).  h  should  be 


assigned  the  value  of  I0+Ri  mod  264  where  Ri  =  5555555555555555.  I2 


should  be  assigned  the  value  of  I0+R2  mod  264  where  R2  = 
AAAAAAAAAAAAAAAA.  Notej  =  9999. 


NOTE  —  the  new  P  and  I  should  be  denoted  as  Po  and  Io  because  these  values  are  used  for  the  first  pass 
through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  8. 


3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 


5. 5. 2. 2  The  Monte  Carlo  Test  for  the  Decryption  Process  -  K-bit  TCFB-P 

Mode 


Table  50  The  Monte  Carlo  Test  for  the  Decryption  Process  -  K-bit  TCFB-P  Mode 


TMOVS: 

Initialize 

KEY lo,KEY20,KEY30,  IV1,  IV2,  IV3,  K-bit  C0 

Send 

KEY l0,KEY2o,KEY3o,  IV1,  IV2,  IV3,  K-bit  C0 

IUT: 

FOR  i  =  0  TO  399 
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{ 


FOR  j  =  0  TO  9,999 

{ 

Perform 
Triple  DES: 


K-bit  Cj+i  =  LMk  (Oj) 

} 

Record  10,  K-bit  Pj 

Send  i,  KEY1„  KEY2j,  KEY3;,  10,  II,  12,  K-bit  C0 ,  K-bit  P, 

Concatenate  enough  Ps  together  to  get  (length(KEY)*3)  bits  (192  bits) 
KEYli+i  =  KEYli  ©  bits  129-192  of  P 

IF  (KEYlj  and  KEY2,  are  independent  and  KEY3i  =  KEY  1 ,)  or  (KEY  1 ,, 
KEY2i,  KEY3j  are  independent), 

KEY21+i  =  KEY2,  ©  bits  65-128  of  P 

ELSE 

KEY2i+i  =  KEY2,  ©bits  129-192  of  P 

IF  (KEY  1  ,=KEY2,=KEY3I)  or  (KEYlj  and  KEY2,  are  independent  and 
KEY3;  =  KEY10, 
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KEY3j+i  =  KEY3j  ©  bits  129-192  of  P 
ELSE 

KEY3i+i  =  KEY3j  ©bits  1-64  of  P 

10  =  RM(64  K)(Ij)  II  K-bit  Cj 

11  =10  +  Ri  mod  264  where  Ri=5555555555555555 

12  =10  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 
K-bit  Co  =  LMK(Oj) 

} 

TMOVS:  Check  the  IUT's  output  for  correctness. 


As  summarized  in  Table  50,  the  Monte  Carlo  Test  for  the  TCFB-P  Decryption  Process  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY10,  KEY20,  and  KEY3o,  the  initialization 
vectors  IV1,  IV2,  and  IV3,  and  the  K-bit  Co.  The  IVs,  and  KEYs  consist  of  64  bits 
each.  The  C  is  represented  as  K-bits,  where  K=l,...,64.  IV2  is  assigned  the  value 
of  IVl+R]  mod  264  where  Ri  =  5555555555555555.  IV3  is  assigned  the  value  of 
IVI+R2  mod  264  where  R2  =  AAAAAAAAAAAAAAAA. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  24. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  Record  the  current  values  of  the  output  loop  number  i,  KEY  1 KEY2,.  KEY3,, 
IV1,  IV2,  IV3,  and  C0. 

b.  Perform  the  following  for  j  =  0  through  9,999: 

1)  If  j  =  0,  1,  or  2,  assign  the  value  of  the  initialization  vector  IVj+i  to  the  input 
block  Ij. 

2)  If  j  >  2,  assign  Ij  with  the  value  of  the  concatenation  of  the  rightmost  (64- 

K)  bits  of  I(j- 1)  with  the  K-bit  Cj.3. 

3)  Process  Ij  through  the  DEA  stage  DEAi  in  the  encrypt  state  using  KEY!,, 

resulting  in  intermediate  value  TEMPI. 
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4)  TEMPI  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using  KEY2,, 

resulting  in  intermediate  value  TEMP2. 

5)  TEMP2  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using  KEY3i, 

resulting  in  output  block  0,. 

6)  Calculate  the  K-bit  P,  by  exclusive-ORing  the  leftmost  K-bits  of  O,  with  the 

K-bit  Q. 

7)  Prepare  for  loop  j+1  by  assigning  the  K-bit  Cj+i  with  the  value  of  the 

leftmost  K-bits  of  the  0,. 

c.  Record  the  current  values  of  the  input  block  10  and  K-bit  P,. 

d.  Forward  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  8,  to  the  TMOVS. 

e.  In  preparation  for  the  next  output  loop: 

1)  Concatenate  enough  P  values  together  to  obtain  (length  (KEY)*3)  bits  of 
data  (192  bits). 

3)  Assign  new  values  to  the  KEY  parameters  KEY1,  KEY2,  and  KEY3.  This 
is  accomplished  by  exclusive-ORing  P  with  the  KEY  value  to  obtain  the 
new  KEY.  If  the  length  of  the  P  is  less  than  64  (the  length  of  a  DES  key), 
the  P  should  be  expanded  in  length  to  64*3  (to  correspond  to  the  combined 
lengths  of  KEY1+KEY2+KEY3)  before  forming  the  new  KEY  values. 

This  expansion  should  be  accomplished  by  concatenating  X  of  the  most 
current  Ps  together  to  obtain  192  bits  of  P.  For  example,  if  the  length  of  the 
P  is  50  bits  (K=50),  the  expanded  P  =  (P99996,...,  P509996,  P’9997  P5°9997, 

pi  p50  pi  p50  \ 

r  9998,...,  r  9998,  r  gggg,...,  r  9999;. 

Bits  129-192  of  the  expanded  P  will  be  exclusive-ORed  with  KEY  1  to 
form  the  new  KEY1. 

The  calculation  of  the  new  KEY2  and  KEY3  are  based  on  the  values  of  the 
keys.  .  If  KEY  1 ,  and  KEY2,  are  independent  and  KEY3,  =  KEY  1 or 
KEY1,  KEY2  and  KEY3  are  independent,  the  new  KEY2  should  be 
calculated  by  exclusive-ORing  the  current  KEY2  with  bits  65-128  of  the 
expanded  P.  If  KEY1=KEY2=KEY3,  the  current  KEY2  will  be  exclusive- 
ORed  with  bits  129-192  of  the  expanded  P  to  calculate  the  new  KEY2. 

If  KEY1,  KEY2,  and  KEY3  are  independent,  the  new  KEY3  should  be 
calculated  by  exclusive-ORing  the  current  KEY3  with  bits  1-64  of  the 
expanded  P.  Otherwise,  the  current  KEY3  will  be  exclusive-ORed  with 
bits  129-192  of  the  expanded  P  to  calculate  the  new  KEY3. 
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3) 


Assign  a  new  value  to  the  I  parameters.  Io  should  be  assigned  the  value  of 
the  concatenation  of  the  rightmost  (64-K)  bits  of  Ij  with  the  K-bit  Cj,  i.e. 
(l‘o,  iV..,  I64o)  =  (I[K+1]j,  I[K+2]j,... ,I64j,  C'j,  C2j,...,CKj).  I,  should  be 
assigned  the  value  of  Io+Ri  mod  264  where  R!  =  5555555555555555.  I2 
should  be  assigned  the  value  of  I0+R?  mod  264  where  R?  = 
AAAAAAAAAAAAAAAA.  Notej  =  9999. 


4)  Assign  a  new  value  to  the  K-bit  Co.  The  K-bit  Co  should  be  assigned  the 
value  of  the  leftmost  K-bits  of  the  current  Oj,  where  j  =  9999,  i.e.,  (C'o, 
C20,...,CK0)  =  (O'j,  02j,...,  0Kj). 


NOTE  —  the  new  C  and  I  should  be  denoted  as  Co  and  Io  because  these  values  are  used  for  the  first  pass 
through  the  inner  loop  when  j=0. 


NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  8. 


3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5.6  The  Output  Feedback  Mode  -  TOFB  Mode 


The  IUTs  which  implement  the  Output  Feedback  (TOFB)  mode  of  operation  are  validated  by 
successfully  completing  a  set  of  Known  Answer  tests  and  a  Monte  Carlo  test  applicable  to  both 
IUTs  supporting  encryption  and/or  decryption.  Encryption  and  decryption  using  the  TOFB  mode 
of  operation  involve  processing  an  input  block  through  the  encryption  process  of  the  specified 
algorithm.  Therefore,  the  same  set  of  Known  Answer  tests  and  Monte  Carlo  test  can  be  applied  to 
IUTs  supporting  both  encryption  and  decryption. 

The  process  of  validating  an  IUT  which  supports  the  encryption  and/or  decryption  processes  of 
the  TOFB  mode  of  operation  involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Text  Known  Answer  Test  -  TOFB  mode 

2  The  Inverse  Permutation  Known  Answer  Test  -  TOFB  mode 

3.  The  Variable  Key  Known  Answer  Test  -  TOFB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  TOFB  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  TOFB  mode 

6.  The  Monte  Carlo  Test  -  TOFB  mode 

An  explanation  of  the  tests  for  the  TOFB  mode  follows. 
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5.6.1  The  Known  Answer  Tests  -  TOFB  Mode 


In  the  following  description  of  the  Known  Answer  tests,  TEXT  refers  to  plaintext,  and  RESULT 
refers  to  ciphertext  if  the  IUT  performs  TOFB  encryption.  If  the  IUT  supports  TOFB  decryption, 
TEXT  refers  to  ciphertext,  and  RESULT  refers  to  plaintext. 

5.6.1. 1  The  Variable  TEXT  Known  Answer  Test  -  TOFB  Mode 

Table  51  The  Variable  TEXT  Known  Answer  Test  -  TOFB  Mode 

TMOVS:  Initialize  KEYs:  KEY  1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity 

set) 

IV1=  8000000000000000 
TEXT  =  0000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,.  TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

Perform 
Triple  DES: 


Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV;,  TEXT, 
RESULT, 

IVi+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A.  1. 


I,  =  IV, 

Ii  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  O, 
RESULTi=  O,  ®  TEXT 


As  summarized  in  Table  51,  the  Variable  TEXT  Known  Answer  Test  for  the  TOFB  mode  of 
operation  is  performed  as  follows: 
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1. 


The  TMOVS: 


a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  initialization  vector  IVi  to  the  basis  vector  containing  a'T"  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV i  bin  =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IV;  to  the  input  block  I,. 

b.  Process  f  through  the  three  DEA  stages,  resulting  in  a  64-bit  output  block  (),.  This 
involves  processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  output  block 
O, 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  O;  with 
the  K-bit  TEXT. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV„  TEXT,  and  the  RESULT;  to  the  TMOVS  as  specified  in 
Output  Type  2. 

e.  Retain  the  RESULT  values  for  use  with  the  Inverse  Permutation  Known  Answer 
Test  for  the  TOFB  Mode  (Section  5.6. 1.2). 

f.  Assign  a  new  value  to  IV;+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 

"1"  bit  in  position  i+1,  where  i+l=2, _ ,64. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  IV,  i.e.,  64  times.  The  output  from  the 

IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.l. 
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5.6.1.2 


The  Inverse  Permutation  Known  Answer  Test  -  TOFB  Mode 


Table  52  The  Inverse  Permutation  Known  Answer  Test  -  TOFB  Mode 

TMOVS:  Initialize  KEYs:KEYl  =  KEY2  =  KEY3  =  010 10 10101010101  (odd  parity 

set) 

TEXT,  (where  i=1..64)=64  RESULT  values  from  the  Variable 
TEXT  Known  Answer  Test 

IVi=  8000000000000000 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IVi, 

text1..text64 

IUT:  FOR  i  =  1  to  64 

{ 

I,  =  IV, 

I;  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,  resulting  in  O, 
RESULTi=  O,  ©  TEXT, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IV,,  TEXT;, 
RESULT; 

IVj+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 
TEXTj+i  =  corresponding  RESULTi+i  value  from  the  TMOVS 

} 

TMOVS:  Compare  RESULT  from  each  loop  with  known  answers. 

The  TEXT  should  be  all  zeros. 

As  summarized  in  Table  52  the  Inverse  Permutation  Known  Answer  Test  for  the  TOFB  mode  of 
operation  is  performed  as  follows: 


Perform 

Triple 

DES: 
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1. 


The  TMOVS: 


a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
010101010101. 

b.  Initializes  the  64-bit  initialization  vector  IVi  to  the  basis  vector  containing  a'T"  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV i  bin  =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initializes  the  TEXT;  (where  i=l,...,64)  to  the  RESULT;  values  obtained  from  the 
Variable  TEXT  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  5. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IV;  to  the  input  block  I;. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  a  64-bit  output  block  O;.  This 
involves  processing  I;  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY1,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,  resulting  in  output  block 
O, 

c.  Calculate  the  RESULT;  by  exclusive-ORing  the  O;  with  the  TEXT;. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV„  TEXT,,  and  the  RESULT;  to  the  TMOVS  as  specified  in 
Output  Type  2. 

e.  Assign  a  new  value  to  IV;+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i+l=2,...,64. 

f.  Assign  a  new  value  to  TEXTi+i  by  setting  it  equal  to  the  corresponding  output 
from  the  TMOVS. 

NOTE  —  This  processing  continues  until  all  RESULT  values  from  the  Variable  TEXT  Known  Answer  Test  have  been  used  as 
input.  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in 
Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values.  The  RESULT  values  should  be  all  zeros. 
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5.6.1.3 


The  Variable  KEY  Known  Answer  Test  -  TOFB  Mode 


Table  53  The  Variable  Key  Known  Answer  Test  -  TOFB  Mode 


TMOVS:  Initialize  KEYs:  KEYli  =  KEY2i  =  KEY3i  =  8001010101010101  (odd 

parity  set) 

IV  =  0000000000000000 
TEXT  =  0000000000000000 

Send  KEY!  (representing  KEYli,  KEY2,,  and  KEY3i),  IV,  TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

IF  (i  mod  8^0)  {process  all  bits  except  parity  bits} 

{ 

Perform 
Triple 
DES: 


Send  i,  KEY;  (representing  KEY1„KEY2„  and  KEY3;),  IV,  TEXT, 
RESULT, 

KEYli+i  =  KEY2i+i  =  KEY3j+i  =  vector  consisting  of  "0"  in  every 
significant  bit  position  except  for  a  single  "1"  bit  in  position  i+1. 
Each  parity  bit  may  have  the  value  "1"  or  "0"  to  make  the  KEY  odd 
parity. 

} 

} 

TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers.  Use  Table  A. 2. 


k  =  IV 

I;  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEYli, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  Oi 
RESULTi=  O,  ©  TEXT 
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As  summarized  in  Table  53,  the  Variable  Key  Known  Answer  Test  for  the  TOFB  mode  is 
performed  as  follows: 


1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEYli,  KEY2i,  and  KEY3i  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEYli  bin= 
KEY2,  bin=  KEY3,  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  TEXT  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex  =  00  00  00 

00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  2. 

2.  The  IUT  should  perform  the  following  for  i  =  1  to  56: 

NOTE  —  56  is  the  number  of  significant  bits  in  a  TDES  key. 


a.  Assign  the  value  of  the  initialization  vector  IV  to  the  input  block  I;. 

b.  Process  I;  through  the  three  DEA  stages  resulting  in  a  64-bit  output  block  O,.  This 
involves  processing  f  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,, 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3,,  resulting  in  output  block 
O, 

c.  Calculate  the  RESULT;  by  exclusive-ORing  the  O;  with  the  TEXT. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY1;, 
KEY2;,  and  KEY3;),  IV,  TEXT,  and  the  resulting  RESULT;  to  the  TMOVS  as 
specified  in  Output  Type  2. 

e.  Set  KEYlj+i,  KEY2i+i,  KEY3;+i  equal  to  the  vector  consisting  of  “0"  in  every 
significant  bit  position  except  for  a  single  “1"  bit  in  position  i+1.  The  parity  bits 
contain  “1"  or  “0"  to  make  odd  parity. 

NOTE  —  This  processing  should  continue  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameters.  The 
output  from  the  IUT  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included  in  Output 
Type  2. 
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The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A. 2. 


5.6.1.4 


The  Permutation  Operation  Known  Answer  Test  -  TOFB  Mode 


Table  54  The  Permutation  Operation  Known  Answer  Test  -  TOFB  Mode 

TMOVS:  Initialize  KEYI  ,=KEY2,=KEY3I  (where  i=1..32)  =  32  KEY  values  in 

Table  A. 3 

IV  =  0000000000000000 
TEXT  =  0000000000000000 

Send  TEXT,  IV,  KEYi,  KEY2,..„  KEY32  (Since  all  three  keys  are  the 

same,  these  key  values  represent  the  values  of  KEYI,  KEY2,  and 
KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 

I  I,  =  IV 

Perform 

Triple  DES:  I;  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3,,  resulting  in  O; 

RESULT^  O,  ©  TEXT 

Send  i,  KEY;  (representing  KEY11,KEY21,  and  KEY3;),  IV,  TEXT, 
RESULT, 

KEYli+i  =  KEY21+i  =  KEY3i+1  =  Corresponding  KEY1+1  in  Table  A.3 

} 

TMOVS:  Compare  results  with  known  answers.  Use  Table  A.3. 

As  summarized  in  Table  54,  the  Permutation  Operation  Known  Answer  Test  for  the  TOFB  mode 
of  operation  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEYlj,  KEY2,,  and  KEY3i  variables  with  the  32  constant  KEY 
values  from  Table  A.3. 
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b.  Initializes  the  64-bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IVhex  = 

00  00  00  00  00  00  00  00. 

c.  Initializes  the  TEXT  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThcx  =  00  00  00 

00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  8. 

2.  The  IUT  should  perform  the  following  for  i=l  through  32: 

a.  Assign  the  value  of  the  initialization  vector  IV  to  the  input  block  I;. 

b.  Process  I,  through  the  three  DEA  stages  resulting  in  a  64-bit  output  block  O;.  This 
involves  processing  f  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2i? 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3i,  resulting  in  output  block 
0,. 

c.  Calculate  the  RESULT;  by  exclusive-ORing  the  O;  with  the  TEXT. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY1;, 
KEY2;,  and  KEY3;),  IV,  TEXT,  and  the  RESULT,  to  the  TMOVS  as  specified  in 
Output  Type  2. 

e.  Set  KEYlj+i,  KEY2i+],  and  KEY3i+i  equal  to  the  corresponding  KEYi+i  supplied 
by  the  TMOVS. 

NOTE  —The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 

should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A. 3. 
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5.6.1.5 


The  Substitution  Table  Known  Answer  Test  -  TOFB  Mode 


Table  55  The  Substitution  Table  Known  Answer  Test  -  TOFB  Mode 

TMOVS:  Initialize  KEY1 ,,  KEY2,.  KEY3,  (where  i=1..19j  =  19  KEY  values  in 

Table  A.4 

IVj  (where  i=  1 . .  1 9)  =  19  corresponding  DATA  values  in  Table 
A.4 

TEXT  =  0000000000000000 

Send  TEXT,  KEYi,  IV,,  KEY2,  IV2,...,KEY19,  IVi9 (Since  all  three 

keys  are  the  same,  these  key  values  represent  the  values  of 
KEY1,  KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  19 

{ 

Ii  =  IV, 

Ii  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,,  resulting 
in  TEMPI 

TEMPlis  decrypted  by  DEA2  using  KEY2,,  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  Oi 
RESULT, =  O,  ©  TEXT 

Send  i,  KEY,  (representing  KEYlj,  KEY2„  and  KEY3;),  IV„  TEXT, 
RESULT, 

KEYli+1  =KEY2i+i  =  KEY3i+i  =  KEY,+i  from  TMOVS 
IVi+i  =  corresponding  DATAi+i  from  TMOVS 
} 

TMOVS:  Compare  results  from  each  loop  with  known  answers.  Use  Table  A.4. 

As  summarized  in  Table  55,  the  Substitution  Table  Known  Answer  Test  for  the  TOFB  mode  of 
operation  is  performed  as  follows: 

1.  The  TMOVS: 


Perform 

Triple 

DES: 
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a.  Initializes  the  KEY-IV  pairs  with  the  19  constant  KEY-DATA  values  from  Table 
A.4.  The  DATA  values  are  assigned  to  the  values  of  the  initialization  vectors  IVs. 
The  KEY  value  indicates  the  value  of  KEY1,  KEY2  and  KEY3,  i.e., 

KEY  1 =KE  Y  2=KE  Y  3 . 

b.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 

c.  Forwards  this  information  to  the  IUT  using  Input  Type  11. 

2.  The  IUT  should  perform  the  following  for  i=l  through  19: 

a.  Assign  the  value  of  the  initialization  vector  IV,  to  the  input  block  I;. 

b.  Process  I,  through  the  three  DEA  stages,  resulting  in  an  output  block  O;.  This 
involves  processing  I,  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed  directly 
into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state  using  KEY2,. 
resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed  directly  into  the  third  DEA 
stage,  denoted  DEA3,  in  the  encrypt  state  using  KEY3i,  resulting  in  output  block 
0;. 

c.  Calculate  the  RESULT;  by  exclusive-ORing  the  O;  with  the  TEXT. 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY1;, 
KEY2;,  and  KEY3,),  IV;,  TEXT,  and  the  RESULT,  to  the  TMOVS  as  specified  in 
Output  Type  2. 

e.  Set  KEYli+1,  KEY2i+i,  and  KEY3i+i  equal  to  the  corresponding  KEYi+]  value 
supplied  by  the  TMOVS. 

f.  Set  IVj+i  equal  to  the  corresponding  DATAi+i  value  supplied  by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-DATA  pairs  are  processed.  The  output  from  the  IUT  for  this 

test  should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  2. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 

the  known  values  found  in  Table  A.4. 
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5.6.2  The  Monte  Carlo  Test  -  TOFB  Mode 

The  TOFB  mode  has  one  Monte  Carlo  test  that  is  used  regardless  of  process,  i.e.,  the  same 
Monte  Carlo  test  is  used  for  IUTs  supporting  the  encryption  and/or  decryption  processes. 


Table  56 


The  Monte  Carlo  Test  -  TOFB  Mode 


TMOVS:  Initialize  KEY10,KEY20,  KEY30,  IV,  TEXT0 

Send  KEY10,KEY20,  KEY30,  IV,  TEXT0 

IUT:  FOR  i  =  0  TO  399 


{ 


(Part  of 
Triple  DES 
processing): 


Record  i,  KEY1;,  KEY2;,  KEY3„  TEXT0 
INITTEXT  =  TEXTo 
FOR  j  =  0  TO  9,999 
{ 


Perform 
Triple  DES: 


Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  lj 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP2 

TEMP2  is  encrypted  by  DEA3  using  KEY3j,  resulting  in  O, 
RESULTj  =  Oj  ©  TEXTj 


TEXTJ+1  =  Ij 


(Part  of 
Triple  DES 
processing): 


} 


Record  I0,  RESULTj 
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Send  i,KEYli,KEY2i,  KEY3;,  I0,  TEXT0,  RESULTj 
KEYlj+i  =  KEYli  ®  RESULTj 

IF  (KEYlj  and  KEY2;  are  independent  and  KEY3j  =  KEY1 ,)  or 
(KEYli,  KEY2;,  and  KEY3j  are  independent) 

KEY2i+i=  KEY2,  ®  RESULTj., 

ELSE 

KEY2i+i=  KEY2,  ®  RESULTj 

IF  (KEYli=  KEY2j=  KEY3;)  or  (KEYlj  and  KEY2,  are  independent 
and  KEY3j  =  KEY1;) 

KEY3i+i=  KEY3j  ®  RESULTj 

ELSE 

KEY3i+i=  KEY3i  ©  RESULT^ 

TEXTo  =  INITTEXT  ©  I  , 

Io  =  Oj 

} 

TMOVS:  Check  IUT's  output  for  correctness. 


As  summarized  in  Table  56,  the  Monte  Carlo  Test  for  the  TOFB  mode  of  operation  is  performed 
as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY10,  KEY20,  and  KEY3o,  the  initialization 
vector  IV,  and  the  TEXT0  variables.  All  variables  consist  of  64  bits  each. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  21. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 

a.  If  i=0  (if  this  is  the  first  time  through  this  loop),  assign  the  value  of  the 
initialization  vector  IV  to  the  input  block  I0. 
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b.  Record  the  current  values  of  the  output  loop  number  i,  KEY1;,  KEY2j,  KEY3j, 
and  the  TEXT0. 

c.  Assign  the  value  of  TEXT0  to  INITTEXT.  This  will  contain  the  initial  value  of  the 
text  from  every  j  =  0  loop. 

d.  Perform  the  following  for  j  =  0  through  9999: 

1)  Using  the  corresponding  KEYlj,KEY2j,  and  KEY3j  values,  process  Ij 
through  the  three  DEA  stages  resulting  in  output  block  Oj.  This  involves 
processing  Ij  through  the  first  DEA  stage,  denoted  DEAi,  in  the  encrypt 
state  using  KEY  1 ,,  resulting  in  intermediate  value  TEMPI.  TEMPI  is  fed 
directly  into  the  second  DEA  stage,  denoted  DEA2,  in  the  decrypt  state 
using  KEY2i,  resulting  in  intermediate  value  TEMP2.  TEMP2  is  fed 
directly  into  the  third  DEA  stage,  denoted  DEA3,  in  the  encrypt  state  using 
KEY3j,  resulting  in  output  block  Oj. 

2)  Calculate  the  RESULT,  by  exclusive-ORing  the  O,  with  the  TEXT,. 

3)  Prepare  for  loop  j+1  by  doing  the  following: 

a)  Assign  the  TEXTj+i  with  the  value  of  the  Ij. 

b)  Assign  Vi  with  the  value  of  the  Oj. 

e.  Record  the  RESULTj  and  the  I0. 

f.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  6,  to 
the  TMOVS. 

g.  In  preparation  for  the  next  output  loop  (note  j  =  9999): 

1)  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop. 

The  new  KEYli+i  should  be  calculated  by  exclusive-ORing  the  current 
KEYlj  with  the  RESULTj. 

The  new  KEY2i+i  calculation  is  based  on  the  values  of  the  keys.  If  KEY1 , 
and  KEY2;  are  independent  and  KEY3i  =  KEY1 ,,  or  KEY1 ,,  KEY2j,  and 
KEY3j  are  independent,  the  new  KEY2i+]  should  be  calculated  by 
exclusive-ORing  the  current  KEY2,  with  the  RESULTj.i.  If 
KEYli=KEY2i=KEY3i,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2,  with  the  RESULTj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If 
KEYli,  KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be 
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calculated  by  exclusive- ORing  the  current  KEY3j  with  the  RESULT^.  If 
KEY1;  and  KEY2;  are  independent  and  KEY3j  =  KEY  1 ,,  or  if 
KEYli=KEY2i=KEY3i,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3,  with  the  RESEFLTj. 

2)  Assign  a  new  value  to  the  TEXT0.  The  TEXT0  should  be  assigned  the 
value  of  INITTEXT  exclusive-ORed  with  Ij. 

3)  Assign  a  new  value  to  I0.  Io  should  be  assigned  the  value  of  the  0,. 

NOTE  —  the  new  TEXT  and  I  should  be  denoted  as  TEXTo  and  Io  because  these  values  are  used 
for  the  first  pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  6. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values. 
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5.7  The  Output  Feedback  Interleaved  (OFB-I)  Mode 


The  IUTs  which  implement  the  Output  Feedback  Interleaved  (OFB-I)  mode  are  validated  by 
successfully  completing  a  set  of  Known  Answer  tests  and  a  Monte  Carlo  test  applicable  to  both 
IUTs  supporting  encryption  and/or  decryption.  Encryption  and  decryption  using  the  TOFB-I 
mode  of  operation  involve  initializing  the  three  individual  DEA  stages  and  then  simultaneously 
clocking  them.  This  improves  the  throughput  and  minimizes  the  propagation  delay.  Each  clock 
cycle  involves  the  data  being  processed  by  each  DEAj  stage  and  passing  it  onward  to  the  output 
buffer  or  the  next  stage  so  that  idle  DEA,  stages  are  minimized.  The  pipelined  configuration  is 
intended  for  systems  equipped  with  multiple  DEA  processors.  The  same  set  of  Known  Answer 
tests  and  Monte  Carlo  test  can  be  applied  to  IUTs  supporting  both  encryption  and  decryption 
because  the  same  sequence  of  encrypt  with  KEY1,  decrypt  with  KEY2  and  encrypt  with  KEY3  is 
used  for  both  encryption  and  decryption. 

The  processing  for  each  Known  Answer  test  and  Monte  Carlo  test  is  broken  down  into  clock 
cycles  Tl,  T2,  T3,....  Within  each  clock  cycle,  the  processing  occurring  on  each  active  DEA  is 
discussed.  For  convenience,  let  KEY1  represent  the  key  used  on  processor  DEAi,  KEY2 
represent  the  key  used  on  processor  DEA2,  and  KEY3  represent  the  key  used  on  processor 

dea3. 


The  process  of  validating  an  IUT  which  supports  the  TOFB-I  mode  of  operation  in  the  encryption 
and/or  the  decryption  processes  involves  the  successful  completion  of  the  following  six  tests: 

1.  The  Variable  Text  Known  Answer  Test  -  TOFB-I  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  TOFB-I  mode 

3.  The  Variable  Key  Known  Answer  Test  -  TOFB-I  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  TOFB-I  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  TOFB-I  mode 

6.  The  Monte  Carlo  Test  -  TOFB-I  mode 

An  explanation  of  the  tests  for  the  TOFB-I  mode  follows. 

5.7.1  The  Known  Answer  Tests  -  TOFB-I  Mode 

In  the  following  description  of  the  Known  Answer  tests,  TEXT  refers  to  plaintext,  and  RESUFT 
refers  to  ciphertext  if  the  IUT  performs  TOFB-I  encryption.  If  the  IUT  supports  TOFB-I 
decryption,  TEXT  refers  to  ciphertext,  and  RESUFT  refers  to  plaintext. 
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5.7. 1.1  The  Variable  TEXT  Known  Answer  Test  -  TOFB-I  Mode 

Table  57  The  Variable  TEXT  Known  Answer  Test  -  TOFB-I  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV1 ,  =  8000000000000000 
IV2i  =  D555555555555555 
IV3i  =  2AAAAAAAAAAAAAAA 
TEXT  =  0 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IVO  ,  IV2, ,  IV3i , 

TEXT 

IUT:  FOR  i  =  1  to  64 

{ 

With  feedback  path  disconnected: 

Perform  Tl:  II  =  IVlj 
Triple  DES: 

11  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 

resulting  in  TEMPli 

T2:  12  =  IV2, 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 
resulting  in  TEMP2i 

TEMPI  i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  13  =  IV3j 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

Connect  the  feedback  path: 

TEMPO  is  encrypted  by  DEA3  using  KEY3,  resulting  in  01j 
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RESULT  1;  =  Oli  ©  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  02; 
RESULT2,  =  02,  ©  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  03j 
RESULT3,  =  03,  ©  TEXT 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  II,  12, 13,  TEXT, 
RESULT1;,  RESULT2,,  RESULT3, 

IVli+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

IV2,+1  =  IV1,+1  +  Rj  mod  264  where  Ri=5555555555555555 

IV3,+1  =  IVli+i  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Compare  RESULT1,  RESULT2,  and  RESULT3  from  each  loop  with  known 

answers.  See  Table  A. 9. 


As  summarized  in  Table  57,  the  Variable  TEXT  Known  Answer  Test  for  the  TOFB-I  mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2hex=KEY3hex=01  01 
01  01  01  01  01  01. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV U  is  set  to  the  basis  vector 
containing  a"l"  in  the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e., 

IV !  bin  =  10000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00 
00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998,  IV2i  is  computed  by  the 
following  equation:  IVU  +  Ri  mod  264  where  Ri=5555555555555555.  In 
hexadecimal,  this  equates  to  D5  55  55  55  55  55  55  55.  And  IV3i  is  computed  by 
the  equation  IV 1 1  +  R?  mod  264  where  R?=AAAAAAAAAAAAAAAA.  In 
hexadecimal,  this  equates  to  2A  AA  AA  AA  AA  AA  AA  AA. 
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c.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1;  to  the  input  block  II. 

b)  Process  II  through  the  DEA  stage  DEA;  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMPI  ;. 

2)  At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2;  to  the  input  block 
12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP12. 

3)  At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3j  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP3i. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3,  resulting  in  output  block  0 1 ,. 

e)  Calculate  the  RESULT1;  by  exclusive-ORing  01;  with  TEXT1;. 

At  time  T4: 


236 


a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  02;. 

b)  Calculate  RESULT2i  by  exclusive-ORing  02;  with  TEXT2;. 

c)  TEMP3;  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  03;. 

b)  Calculate  the  RESULT3;  by  exclusive-ORing  03;  with  TEXT3;. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV1;,  IV2;,  IV3„  TEXT,  RESULT1;,  RESULT2;,  and 
RESULT3;,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Retain  the  RESULT1,  RESULT2,  and  RESULT3  values  for  use  with  the  Inverse 
Permutation  Known  Answer  Test  for  the  TOFB-I  Mode  (Section  5. 7. 1.2). 

d.  Assign  a  new  value  to  the  IV  variables.  IVl;+i  is  set  to  the  value  of  a  basis  vector 
with  a  "1"  bit  in  position  i+1,  where  i+l=2,...,64.  IV2i+i  is  set  to  the  value  of  IVl;+] 
+  R;  mod  264  where  R;=5555555555555555.  And  IV3i+i  is  set  to  IVli+i  +  R2  mod 
264  where  R2=AAAAAAAAAAAAAAAA. 

NOTE  —  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  IV1,  i.e.,  64  times.  The  output  from  the 
IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A. 9. 
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5.7. 1.2  The  Inverse  Permutation  Known  Answer  Test  -  TOFB-I  Mode 

Table  58  The  Inverse  Permutation  Known  Answer  Test  -  TOFB-I  Mode 

TMOVS:  Initialize  KEY1  =  KEY2  =  KEY3  =  0101010101010101  (odd  parity  set) 

IV 1 1  — ■  8000000000000000 
IV2i  =  D555555555555555 
IV3i  =  2AAAAAAAAAAAAAAA 

TEXTr,  (where  r=1..3  and  i=1..64)  =  64  corresponding  RESULTrj 
values  from  Variable  TEXT  Known  Answer  Test 

Send  KEY  (representing  KEY1,  KEY2,  and  KEY3),  IVO,  IV2,,  IV3, 

TEXT1i,...,TEXT164,  TEXT2i,...,TEXT264,  TEXT3i,...,TEXT364 

IUT:  FOR  i  =  1  to  64 

{ 

With  the  feedback  path  disconnected: 

Perform  Tl:  II  =  IV1, 

Triple  DES: 

11  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMPli 

T2:  12  =  IV2i 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMPO 

T3:  13  =  IV3; 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 
TEMP22 

Connect  the  feedback  path: 

TEMPO  is  encrypted  by  DEA3  using  KEY3,  resulting  in  Oh 


RESULTS  =  01,  ©  TEXTlj 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3,  resulting  in  02; 
RESULT2;  =  02,  ©  TEXT2, 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3,  resulting  in  03; 

RESULT3;  =  03,  ©  TEXT3, 

Send  i,  KEY  (representing  KEY1,  KEY2,  and  KEY3),  II,  12, 13,  TEXT1;, 
TEXT2,,  TEXT3;,  RESULT1;,  RESULT2;,  RESULT3, 

IV  l;+i  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

IV2,+1  =  IV 1;  +  Ri  mod  264  where  R,=5555555555555555 

IV3i+i  =  IV 1;  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

TEXTri+i  (where  r  =  1..3)=  corresponding  RESULTri+i  value  from  the 
TMOVS 

} 

TMOVS:  Compare  RESULT  1,  RESULT2,  and  RESULT3  from  each  loop  with  known 

answers. 

They  should  be  all  zeros. 


As  summarized  in  Table  58  the  Inverse  Permutation  Known  Answer  Test  for  the  TOFB-I  mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  to  the  constant 
hexadecimal  value  0  with  odd  parity  set,  i.e.,  KEYlhex=KEY2heX=KEY3hex=01  01 
01  01  01  01  01  01. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV 1;  is  set  to  the  basis  vector 
containing  a'T"  in  the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e., 
IV,  bin  =  10000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00 
00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998,  IV2,  is  computed  by  the 
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following  equation:  IV U  +  Ri  mod  264  where  Ri=5555555555555555.  In 
hexadecimal,  this  equates  to  D5  55  55  55  55  55  55  55.  And  IV3i  is  computed  by 
the  equation  IV 1 1  +  R?  mod  264  where  R2=AAAAAAAAAAAAAAAA.  In 
hexadecimal,  this  equates  to  2A  AA  AA  AA  AA  AA  AA  AA. 

c.  Initializes  the  TEXTr,  (where  r=l,. . .,3  and  i=l . .,64)  to  the  RESULTr,  obtained 
from  the  Variable  TEXT  Known  Answer  Test. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  15. 

The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV lj  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMPI i. 

2)  At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2,  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP12. 

3)  At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3,  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1,  resulting  in  intermediate  value  TEMP3]. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3,  resulting  in  output  block  Oh. 


e)  Calculate  the  RESULT  1 ,  by  exclusive-ORing  0 1 ,  with  TEXT  1 


At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  02;. 

b)  Calculate  the  RESULT2i  by  exclusive-ORing  02,  with  TEXT2,. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,  resulting  in  output  block  03j. 

b)  Calculate  the  RESULT3i  by  exclusive-ORing  03i  with  TEXT3i. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY  (representing  KEY1, 

KEY2,  and  KEY3),  IV1„  IV2„  IV3j,  TEXT1;,  TEXT2,,  TEXT3;,  RESULT  1;, 
RESULT2i,  and  RESULT3i,  to  the  TMOVS  as  specified  in  Output  Type  3. 

c.  Assign  a  new  value  to  the  IV  variables.  IVl,+i  is  set  to  the  value  of  a  basis  vector  with 

a  "1"  bit  in  position  i+1,  where  i+l=2, _ ,64.  IV2i+i  is  set  to  the  value  of  IVli+]  +  Ri 

mod  264  where  Ri=5555555555555555.  And  IV3i+i  is  set  to  IVli+i  +  R2  mod  264 
where  R2=AAAAAAAAAAAAAAAA. 

d.  Assign  a  new  value  to  the  TEXTli+i,  TEXT2i+i,  and  TEXT3j+i  by  setting  it  equal  to 
the  corresponding  output  from  the  TMOVS. 

NOTE  —  This  continues  until  every  RESULT1,  RESULT2,  and  RESULT3  value  from  the  Variable  TEXT  Known  Answer  Test 
has  been  used  as  input.  The  output  from  the  IUT  should  consist  of  64  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  3. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values.  The  RESULT  1,  RESULT2,  and  RESULT3  values  should  be  all  zeros. 
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5.7. 1.3 


The  Variable  KEY  Known  Answer  Test  -  TOFB-I  Mode 


Table  59  The  Variable  KEY  Known  Answer  Test  -  TOFB-I  Mode 

TMOVS:  Initialize  KEYli  =  KEY2i  =  KEY3i  =  8001010101010101  (odd  parity  set) 

IV 1  =  0000000000000000 
IV2  =  5555555555555555 
IV3  =  AAAAAAAAAAAAAAAA 
TEXT  =  0 

Send  KEY!  (representing  KEYO,  KEY2i,  and  KEY3i),  IV1,  IV2,  IV3, 

TEXT 

IUT:  FOR  i  =  1  to  64 

IF  (i  mod  8  =£  0){ process  all  bits  except  parity  bits} 

{ 

;  feedback  path  disconnected: 

II  =  IV1 

11  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY li? 
resulting  in  TEMPli 

12  =  IV2 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY li? 
resulting  in  TEMP2i 

TEMPI  i  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMPO 

13  =  IV3 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY li? 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2i,  resulting  in 
TEMP22 

Connect  the  feedback  path: 


Perform 

Triple 

DES: 


With  the 
Tl: 


T2: 


T3: 
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TEMP12  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  01; 
RESETLTli  =  01;  ©  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2;,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  02; 
RESULT2;  =  02,  ©  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  03; 

RESULT3;  =  03,  ©  TEXT 

Send  i,  KEY,  (representing  KEY1„  KEY2„  and  KEY3;),  II,  12, 13,  TEXT, 
RESULT1;,  RESULT2;,  RESULT3, 

KEYli+i  =  KEY2  i+i  =  KEY3  ;+i=  vector  consisting  of  “0”  in  every 
significant  bit  position  except  for  a  single  “1”  bit  in  position  i+1.  Each  parity 
bit  may  have  the  value  “1”  or  “0”  to  make  the  KEY  odd  parity. 

} 

TMOVS:  Compare  results  of  the  56  encryptions  with  known  answers. 

See  Table  A.  11. 


As  summarized  in  Table  59,  the  Variable  KEY  Known  Answer  Test  for  the  TOFB-I  Mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1;,  KEY2,,  and  KEY3;  to  contain  "0"  in  every 
significant  bit  except  for  a  "1"  in  the  first  position,  i.e.,  the  64-bit  KEY1;  bin= 
KEY2,  bin=  KEY3;  bin=  10000000  00000001  00000001  00000001  00000001 
00000001  00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal 
notation  is  80  01  01  01  01  01  01  01. 

NOTE  —  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd  parity. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV1  is  set  to  zero,  i.e.,  IV;  bex  = 
00  00  00  00  00  00  00  00.  Based  on  specifications  in  ANSI  X9. 52-1998,  IV2  is 
computed  as  IV1  +  R;  mod  264  where  R;  =  5555555555555555  and  IV3is 
computed  as  IV 1  +  R?  mod  264  where  R2  =  AAAAAAAAAAAAAAAA.  Since 
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IV 1  hex  =  0000000000000000,  this  equates  to  IV2hex  =  5555555555555555  and 

IV3hex  =  AAAAAAAAAAAAAAAA. 

c.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  13. 

2.  The  IUT  should  perform  the  following  for  i=l  through  64: 

a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1  to  the  input  block  II. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMPI  i. 

2)  At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2  to  the  input  block 
12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYl;,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

3)  At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYl;,  resulting  in  intermediate  value  TEMP3]. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3;,  resulting  in  output  block  Olj. 

e)  Calculate  the  RESULTl;  by  exclusive-ORing  01;  with  TEXT. 
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At  time  T4: 


a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3i,  resulting  in  output  block  02,. 

b)  Calculate  the  RESULT2,  by  exclusive-ORing  02j  with  TEXT. 

c)  TEMP3i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2j,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,,  resulting  in  output  block  03,. 

b)  Calculate  the  RESULT3i  by  exclusive-ORing  03j  with  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing  KEY  1 ,, 
KEY2j,  and  KEY3;),  IV1,  IV2,  IV3,  TEXT,  RESULT  lj,  RESULTS,  and 
RESULT3j,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEY li+i,  KEY2i+i,  and  KEY3i+i  equal  to  the  vector  consisting  of  “0”  in  every 
significant  bit  position  except  for  a  single  “1”  bit  in  position  i+1.  The  parity  bits 
contain  “1”  or  “0”  to  make  odd  parity. 

NOTE  —  This  processing  should  continue  until  every  significant  basis  vector  has  been  represented  by  the  KEY  parameters.  The 
output  from  the  IUT  should  consist  of  56  output  strings.  Each  output  string  should  consist  of  information  included  in  Output 
Type  7. 

3.  The  TMOVS  checks  the  IUT’s  output  for  correctness  by  comparing  the  received  results 
to  the  known  values  found  in  Table  A.ll. 


245 


5.7. 1.4  The  Permutation  Operation  Known  Answer  Test  -  TOFB-I  Mode 

Table  60  The  Permutation  Operation  Known  Answer  Test  -  TOFB-I  Mode 

TMOVS:  Initialize  KEY1 ,  =  KEY2,  =  KEY3,  (where  i=1..32)  =  32  KEY  values  in 

Table  A.  12 

IV1=  0000000000000000 
IV2  =5555555555555555 
IV3  =AAAAAAAAAAAAAAAA 
TEXT  =  0 

Send  IV1,  IV2,  IV3,  TEXT,  KEY,,  KEY2,...,KEY32  (Since  all  three  keys 

are  the  same,  these  key  values  represent  the  values  of  KEY  1, 
KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  32 

{ 


Perform 

Triple 

DES: 


12  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY  li? 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA  using  KEY2,,  resulting  in 
TEMPO 

T3:  13  =  IV3 

13  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY  li? 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA  using  KEY2,.  resulting  in 
TEMP22 

Connect  the  feedback  path: 


With  the  feedback  path  disconnected: 

Tl:  I1  =  IV1 

II  is  read  into  TDEA  and  is  encrypted  by  DEA  using  KEY li? 
resulting  in  TEMPO 

T2:  12  =  IV2 
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TEMPI 2  is  encrypted  by  DEA  using  KEY3,,  resulting  in  01; 
RESETLTli  =  01;  ©  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2;,  resulting  in 

TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  02; 
RESULT2;  =  02,  ©  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  03; 

RESULT3;  =  03,  ©  TEXT 

Send  i,  KEY,  (representing  KEY1„  KEY2„  and  KEY3;),  II,  12, 13,  TEXT, 
RESULT1;,  RESULT2;,  RESULT3, 

KEYli+i  =  KEY2,+1  =  KEY3,+i=  corresponding  KEYi+i  from  TMOVS. 
TMOVS:  Compare  results  from  each  loop  with  known  answers. 

See  Table  A.  12. 


As  summarized  in  Table  60,  the  Permutation  Operation  Known  Answer  Test  for  the  TOFB-I 
Mode  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY1,  KEY2,  and  KEY3  with  the  32  constant 
KEY  values  from  Table  A.  12. 

b.  Initializes  the  3  initialization  vectors  accordingly:  IV1  is  assigned  the  value  0,  i.e., 
IV  hex  =  00  00  00  00  00  00  00  00.  Based  on  specifications  in  ANSI  X9.52-1998, 
IV2  is  computed  by  the  following  equation:  IV 1  +  R;  mod  264  where 
Ri=5555555555555555.  In  hexadecimal,  this  equates  to  55  55  55  55  55  55  55  55. 
And  IV3  is  computed  by  the  equation  IV 1  +  R2  mod  264  where 

R2 = A  A  A  A  A  A  A  A  A  A  A  A  A  A  A  A .  In  hexadecimal,  this  equates  to  AA  AA  AA  AA 
AA  AA  AA  AA. 

c.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 

d.  Forwards  this  information  to  the  IUT  using  Input  Type  18. 

2.  The  IUT  should  perform  the  following  for  i=l  through  32: 
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a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEA;  in  the  encrypt  state  using 
KEYlj,  resulting  in  intermediate  value  TEMPI  ;. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMP2i. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEYli,  resulting  in  intermediate  value  TEMP3i. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA?  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP2?. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3;,  resulting  in  output  block  01;. 

e)  Calculate  the  RESULT  1;  by  exclusive-ORing  Oh  with  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3,,  resulting  in  output  block  02,. 

b)  Calculate  the  RESULT2;  by  exclusive-ORing  02;  with  TEXT. 

c)  TEMP3;  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2;,  resulting  in  intermediate  value  TEMP32. 
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At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3j,  resulting  in  output  block  03j. 

b)  Calculate  the  RESULT3i  by  exclusive-ORing  03i  with  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEYj  (representing  KEY1 ,, 
KEY2i,  and  KEY3;),  IV1,  IV2,  IV3,  TEXT,  RESULT li;  RESULT2,,  and 
RESULT3,,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEYli+1,  KEY2i+1,  and  KEY3j+i  equal  to  the  corresponding  KEYi+]  supplied 
by  the  TMOVS. 

NOTE  —  The  above  processing  should  continue  until  all  32  KEY  values  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  32  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  Table  A.  12. 
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5.7. 1.5  The  Substitution  Table  Known  Answer  Test  -  TOFB-I  Mode 

Table  61  The  Substitution  Table  Known  Answer  Test  -  TOFB-I  Mode 

TMOVS:  Initialize  KEY1,  =  KEY2,  =  KEY3,  (where  i=1..19)  =  19  KEY  values  in 

Table  A.  10 

IV 1;  (where  i=1..19)  =  19  corresponding  TEXT  values  in  Table 
A.  10 

IV2i  =  IV1;  +  Rj  mod  264  where  Ri=5555555555555555 
IV3i  =  IVli  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 
TEXT  =  0 

Send  IVli,  IV2j,  IV3;,  TEXT,  KEY1;  KEY2,...,KEY19  (These  key  values 

represent  the  values  of  KEY1,  KEY2,  and  KEY3.) 

IUT:  FOR  i  =  1  to  19 

{ 

With  the  feedback  path  disconnected:  ~| 

Perform  T1 
Triple  DES: 

T2:  12  =  IV2, 

12  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMP2i 

TEMPli  is  decrypted  by  DEA2  using  KEY2j,  resulting  in 
TEMPI  2 

T3:  13  =  IV3j 

13  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMP3i 

TEMP2i  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP22 

Connect  the  feedback  path: 


II  =  IVli 

II  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY  1 ,, 
resulting  in  TEMPli 
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TEMPI 2  is  encrypted  by  DEA3  using  KEY3,,  resulting  in  Ob 
RESULT1;  =  01;  ©  TEXT 

T4:  TEMP3i  is  decrypted  by  DEA2  using  KEY2,,  resulting  in 
TEMP32 

TEMP22  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  02, 
RESULT2,  =  02;  ©  TEXT 

T5:  TEMP32  is  encrypted  by  DEA3  using  KEY3;,  resulting  in  03; 
RESULT3;  =  03;  ©  TEXT 

Send  i,  KEY,  (representing  KEY1;,  KEY2„  and  KEY3;),  IV1;,  IV2„  IV3;, 
TEXT,  RESULT1;,  RESULT2;,  RESULT3, 

KEYli+1  =  KEY2;+i  =  KEY31+i=  Corresponding  KEY1+i  from  TMOVS 
IV l;+i=  corresponding  DATAi+i  from  TMOVS 
IV2i+1  =  IVli+i  +  R;  mod  264  where  R;=5555555555555555 
IV3i+i  =  IVli+1  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Compare  results  from  each  loop  with  known  answers. 

See  Table  A.  10. 

As  summarized  in  Table  61,  the  Substitution  Table  Known  Answer  Test  for  the  TCFB-P  Mode  is 
performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY-IV1  pairs  with  the  19  constant  KEY-DATA  values  from  Table 
A.  10.  The  DATA  values  are  assigned  to  the  values  of  the  initialization  vectors 
IV 1;.  The  KEY  value  indicates  the  values  of  KEY1;,  KEY2;,  and  KEY3;,  i.e., 

KEY  1  ;=KE Y 2;=KE Y 3; .  Based  on  specifications  in  ANSI  X9.52-1998,  IV2;is 
computed  as  IV1;  +  R;  mod  264  where  R;  =  5555555555555555  and  IV3;is 
computed  as  IV 1;  +  R2  mod  264  where  R2  =  AAAAAAAAAAAAAAAA. 

b.  Initializes  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXThex 

=  00  00  00  00  00  00  00  00. 
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c.  Forwards  this  information  to  the  IUT  using  Input  Type  25. 

2.  The  IUT  should  perform  the  following  for  i=l  through  19: 
a.  With  the  feedback  path  disconnected: 

1)  At  time  Tl: 

a)  Assign  the  value  of  the  initialization  vector  IV 1;  to  the  input  block 

11. 

b)  Process  II  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMPI  i. 

At  time  T2: 

a)  Assign  the  value  of  the  initialization  vector  IV2;  to  the  input  block 

12. 

b)  Process  12  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMP2j. 

c)  TEMPI  i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP12. 

At  time  T3: 

a)  Assign  the  value  of  the  initialization  vector  IV3;  to  the  input  block 
13. 

b)  Process  13  through  the  DEA  stage  DEAi  in  the  encrypt  state  using 
KEY1;,  resulting  in  intermediate  value  TEMP3]. 

c)  TEMP2i  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using 
KEY2;,  resulting  in  intermediate  value  TEMP22. 

Connect  the  feedback  path: 

d)  TEMP12  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using 
KEY3;,  resulting  in  output  block  01;. 

e)  Calculate  the  RESULT1;  by  exclusive-ORing  01;  with  TEXT. 

At  time  T4: 

a)  TEMP22  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3;,  resulting  in  output  block  02;. 
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b)  Calculate  RESULT2i  by  exclusive-ORing  02;  with  TEXT. 

c)  TEMP3]  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt 
state  using  KEY2;,  resulting  in  intermediate  value  TEMP32. 

At  time  T5: 

a)  TEMP32  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt 
state  using  KEY3;,  resulting  in  output  block  03;. 

b)  Calculate  the  RESULT3;  by  exclusive-ORing  03;  with  TEXT. 

b.  Forward  the  current  values  of  the  loop  number  i,  KEY;  (representing  KEY1;, 
KEY2;,  and  KEY3;),  IV 1;,  IV2;,  IV3;,  TEXT,  RESULT  1„  RESULT2,,  and 
RESULT3;,  to  the  TMOVS  as  specified  in  Output  Type  7. 

c.  Set  KEYlj+i,  KEY2j+i,  and  KEY3i+i  equal  to  the  corresponding  KEYi+]  supplied 
by  the  TMOVS. 

d.  Set  IV li+i  equal  to  the  corresponding  DATAi+i  supplied  by  the  TMOVS.  Based  on 
specifications  in  ANSI  X9. 52- 1998,  IV2i+i  is  set  to  IVl;+]  +  R;  mod  264  where 
Ri=5555555555555555  and  IV3i+i  is  set  to  IVli+;  +  R2  mod  264  where 

r2=aaaaaaaaaaaaaaaa. 

NOTE  —  The  above  processing  should  continue  until  all  19  KEY-DATA  are  processed.  The  output  from  the  IUT  for  this  test 
should  consist  of  19  output  strings.  Each  output  string  should  consist  of  information  included  in  Output  Type  7. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
the  known  values  found  in  Table  A.  10. 
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5.7.2  The  Monte  Carlo  Tests  -  TOFB-I  Mode 


The  TOFB-I  mode  of  operation  has  one  Monte  Carlo  test  that  is  used  regardless  of  the  process, 
i.e.,  the  same  Monte  Carlo  test  is  used  for  IUTs  supporting  the  encryption  and/or  decryption 
process.  In  the  following  description  of  the  Monte  Carlo  test,  TEXT  refers  to  plaintext,  and 
RESULT  refers  to  ciphertext  if  the  IUT  performs  TOFB-I  encryption.  If  the  IUT  supports  TOFB- 
I  decryption,  TEXT  refers  to  ciphertext,  and  RESULT  refers  to  plaintext. 

Table  62  The  Monte  Carlo  Test  -  TOFB-I  Mode 


TMOVS:  Initialize  KEYl0,KEY20,KEY3o,  IV 1,  IV2,  IV3,  TEXT0 

Send  KEYl0,KEY20,KEY3o,  IV1,  IV2,  IV3,  TEXT0 

IUT:  FOR  i  =  0  TO  399 

{ 

FOR  j  =  0  TO  9,999 


Perform 
Triple  DES: 


Record  10,  RESULT, 

Send  i,  KEY1„  KEY2„  KEY3;,  10,  II,  12,  TEXT0 ,  RESULT, 


{ 

IF  (j  ==  0,  1,  or  2) 

Ij  =  IV(j+l) 

ELSE 

Ij=Oj-2 

Ij  is  read  into  TDEA  and  is  encrypted  by  DEAi  using  KEY1 ,, 
resulting  in  TEMPI 

TEMPI  is  decrypted  by  DEA2  using  KEY2,.  resulting  in  TEMP2 
TEMP2  is  encrypted  by  DEA3  using  KEY3i,  resulting  in  O, 
RESULTj  =  Oj  ®  TEXTj 
TEXTJ+1  =  Ij 
} 
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KEY11+1  =  KEYli  ©  RESULT, 

IF  (KEYli  and  KEY2,  are  independent  and  KEY3;  =  KEY1;)  or  (KEYli, 
KEY2,.  and  KEY3i  are  independent) 

KEY21+i=  KEY2;  0  RESULT,  , 

ELSE 

KEY2i+1=  KEY2,  ©  RESULT, 

IF  (KEY1;=  KEY2,=  KEY3;)  or  (KEY1 ,  and  KEY2,  are  independent  and 
KEY3;  =  KEY10 

KEY3i+i=  KEY3j  ©  RESULT, 

ELSE 

KEY3i+i=  KEY3j  ©  RESULT^ 

TEXT0  =  TEXT0  ©  Ij 

10  =  O, 

11  =10  +  Ri  mod  264  where  R1=5555555555555555 

12  =10  +  R2  mod  264  where  R2=AAAAAAAAAAAAAAAA 

} 

TMOVS:  Check  the  IUT's  output  for  correctness. 


As  summarized  in  Table  62,  the  Monte  Carlo  Test  for  the  TOFB-I  is  performed  as  follows: 

1.  The  TMOVS: 

a.  Initializes  the  KEY  parameters  KEY10,  KEY20,  and  KEY3o,  the  initialization 
vectors  IV1,  IV2,  and  IV3,  and  the  TEXT0.  The  TEXT,  IVs,  and  KEYs  consist  of 
64  bits  each.  IV2  is  assigned  the  value  of  IVl+Ri  mod  264  where  Ri  = 
5555555555555555.  IV3  is  assigned  the  value  of  IV1+R2  mod  264  where  R?  = 
AAAAAAAAAAAAAAAA. 

b.  Forwards  this  information  to  the  IUT  using  Input  Type  24. 

2.  The  IUT  should  perform  the  following  for  i  =  0  through  399: 
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a.  Record  the  current  values  of  the  output  loop  number  i,  KEYlj,  KEY2,,  KEY3j, 
IV1,  IV2,  IV3,  and  TEXT0. 

b.  Perform  the  following  for  j  =  0  through  9,999: 

1)  If  j  =  0,  1,  or  2,  assign  the  value  of  the  initialization  vector  IV(j+l)  to  the 
input  block  Ij. 

2)  If  j  >  2,  assign  Ij  with  the  value  of  the  output  block  0(j-2). 

3)  Process  Ij  through  the  DEA  stage  DEAi  in  the  encrypt  state  using  KEY  1 ,, 
resulting  in  intermediate  value  TEMPI. 

4)  TEMPI  is  fed  into  the  DEA  stage  DEA2  in  the  decrypt  state  using  KEY2j, 
resulting  in  intermediate  value  TEMP2. 

5)  TEMP2  is  fed  into  the  DEA  stage  DEA3  in  the  encrypt  state  using  KEY3j, 
resulting  in  output  block  O,. 

6)  Calculate  the  RESULTj  by  exclusive-ORing  the  O,  with  the  TEXT,. 

7)  Prepare  for  loop  j+1  by  assigning  the  TEXTj+i  with  the  value  of  the  Ij. 

c.  Record  the  current  values  of  the  input  block  10  and  RESULTj. 

d.  Forward  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  8,  to  the 
MO  VS. 

e.  In  preparation  for  the  next  output  loop: 

1)  Assign  new  values  to  the  KEY  parameters,  KEY1,  KEY2,  and  KEY3  in 
preparation  for  the  next  outer  loop. 

The  new  KEYli+i  should  be  calculated  by  exclusive-ORing  the  current 
KEY1;  with  the  RESULTj. 

The  new  KEY2i+i  calculation  is  based  on  the  values  of  the  keys.  If  KEYlj 
and  KEY2j  are  independent  and  KEY3j  =  KEYlj,  or  KEYlj,  KEY2j,  and 
KEY3j  are  independent,  the  new  KEY2i+1  should  be  calculated  by 
exclusive-ORing  the  current  KEY2j  with  the  RESULTj.j.  If 
KEYli=KEY2j=KEY3j,  the  new  KEY2i+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY2j  with  the  RESULTj. 

The  new  KEY3j+i  calculation  is  also  based  on  the  values  of  the  keys.  If 
KEYlj,  KEY2j,  and  KEY3j  are  independent,  the  new  KEY3j+i  should  be 
calculated  by  exclusive-ORing  the  current  KEY3j  with  the  RESULTj_2.  If 
KEYlj  and  KEY2;  are  independent  and  KEY3;  =  KEYlj,  or  if 
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KEYli=KEY2i=KEY3i,  the  new  KEY3j+i  should  be  calculated  by 
exclusive-ORing  the  current  KEY3j  with  the  RESULT). 

2)  Assign  a  new  value  to  the  TEXT0.  The  TEXT0  should  be  assigned  the 
value  of  the  current  Ij  exclusive-ORed  with  TEXT0. 

3)  Assign  a  new  value  to  the  I  parameters.  10  should  be  assigned  the  value  of 
Oj.  II  should  be  assigned  the  value  of  I0+Ri  mod  264  where  Ri  = 
5555555555555555.  12  should  be  assigned  the  value  of  I0+R2  mod  264 
where  R2  =  AAAAAAAAAAAAAAAA. 

NOTE  —  the  new  TEXT  and  I  should  be  denoted  as  TEXTo  and  Io  because  these  values  are  used  for  the  first 

pass  through  the  inner  loop  when  j=0. 

NOTE  —  The  output  from  the  IUT  for  this  test  should  consist  of  400  output  strings.  Each  output  string  should  consist  of 
information  included  in  Output  Type  8. 

3.  The  TMOVS  checks  the  IUT's  output  for  correctness  by  comparing  the  received  results  to 
known  values. 
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6.  DESIGN  OF  THE  TRIPLE  DES  MODES  OF  OPERATION 

VALIDATION  SYSTEM  (TMOVS) 


6.1  Design  Philosophy 

NIST  validation  programs  are  conformance  tests  rather  than  measures  of  product  security.  NIST 
validation  tests  are  designed  to  assist  in  the  detection  of  accidental  implementation  errors,  and  are 
not  designed  to  detect  intentional  attempts  to  misrepresent  conformance.  Thus,  validation  by 
NIST  should  not  be  interpreted  as  an  evaluation  or  endorsement  of  overall  product  security. 

An  IUT  is  considered  validated  for  a  test  option  when  it  passes  the  appropriate  set  of  TMOVS 
tests.  TMOVS  testing  is  via  statistical  sampling,  so  validation  of  an  option  does  not  guarantee 
100  %  conformance  with  the  option  in  the  standards. 

The  intent  of  the  validation  process  is  to  provide  a  rigorous  conformance  process  that  can  be 
performed  at  modest  cost.  NIST  does  not  try  to  prevent  a  dishonest  vendor  from  purchasing  a 
validated  implementation  and  using  this  implementation  as  the  vendor's  IUT.  Customers  who 
wish  to  protect  themselves  against  a  dishonest  vendor  could  require  that  the  vendor  revalidate  the 
IUT  in  the  customer's  presence. 

6.2  Operation  of  the  TMOVS 

TMOVS  testing  is  done  through  the  NIST  Cryptographic  Module  Validation  (CMV)  Program. 
The  CMV  Program  uses  laboratories  accredited  by  the  NIST  National  Voluntary  Laboratory 
Accreditation  Program  (NVLAP)  to  perform  conformance  tests  to  cryptographic -related  FIPS.  A 
vendor  contracts  with  a  Cryptographic  Module  Testing  (CMT)  Laboratory  accredited  by 
NVLAP.  The  CMT  laboratory  either  conducts  the  TMOVS  tests  on  the  IUT  or  supplies  initial 
values  to  the  vendor  to  conduct  the  tests.  If  the  vendor  conducts  the  tests,  the  vendor  sends  the 
results  to  the  CMT  where  they  are  verified.  In  both  situations,  the  CMT  laboratory  submits  the 
results  to  NIST  for  validation.  If  the  IUT  has  successfully  completed  the  tests,  NIST  issues  a 
validation  certificate  for  the  IUT  to  the  vendor.  A  list  of  CMT  laboratories  is  available  at 
http://csrc.nist.gov/cryptval. 
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Appendix  A 

Tables  of  Values  for  the  Known  Answer  Tests 


Tables  A.l  through  A.4  were  used  with  single  DES.  They  will  work  with  the  triple  DES  Validation  Modes  that  are  backwards 
compatible  with  their  single  counterparts.  These  include  TECB,  TCBC,  TCFB,  and  TOFB. 

The  other  tables  include  the  values  obtained  for  ciphertexts  C2  and  C3.  These  values  are  a  result  of  having  three  initialization  vectors. 
These  tables  can  be  used  with  the  interleaved  and  pipelined  configurations  of  the  Triple  DES  modes  of  operation. 

Table  A.l  Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test 

for  the  TECB,  TCBC,  TCFB,  and  TOFB  Modes  of  Operation 

(NOTE  -  KEY  1 =KE Y 2=KE Y 3  =  01  01  01  01  01  01  01  01  (odd  parity  set)) 


ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

0 

80  00  00  00  00  00  00  00 

95  F8  A5  E5  DD  31  D9  00 

1 

40  00  00  00  00  00  00  00 

DD  7F  12  1C  A5  01  56  19 

2 

20  00  00  00  00  00  00  00 

2E  86  53  10  4F  38  34  EA 

3 

10  00  00  00  00  00  00  00 

4B  D3  88  FF  6C  D8  ID  4F 

4 

08  00  00  00  00  00  00  00 

20  B9  E7  67  B2  FB  14  56 

5 

04  00  00  00  00  00  00  00 

55  57  93  80  D7  71  38  EF 

6 

02  00  00  00  00  00  00  00 

6CC5  DEFAAF  04  51  2F 
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ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

7 

01  00  00  00  00  00  00  00 

0D  9F  27  9B  A5  D8  72  60 

8 

00  80  00  00  00  00  00  00 

D9  03  IB  02  71  BD  5A  0A 

9 

00  40  00  00  00  00  00  00 

42  42  50B3  7C  3D  D9  51 

10 

00  20  00  00  00  00  00  00 

B8  06  IB  7E  CD  9A21  E5 

11 

00  10  00  00  00  00  00  00 

FI  5D  OF  28  6B  65  BD  28 

12 

00  08  00  00  00  00  00  00 

AD  DO  CC  8D  6E  5D  EB  A1 

13 

oo  04  00  00  00  00  00  00 

E6  D5  F8  27  52  AD  63  D1 

14 

00  02  00  00  00  00  00  00 

EC  BF  E3  BD  3F  59  1A  5E 

15 

00  01  00  00  00  00  00  00 

F3  56  83  43  79  D1  65  CD 

16 

00  00  80  00  00  00  00  00 

2B  9F  98  2F  20  03  7F  A9 

17 

00  00  40  00  00  00  00  00 

88  9D  EO  68  A1  6F  OB  E6 

18 

00  00  20  00  00  00  00  00 

El  9E  27  5D  84  6A  12  98 

19 

00  00  10  00  00  00  00  00 

32  9A  8E  D5  23  D7  1A  EC 

20 

00  00  08  00  00  00  00  00 

E7  FC  E2  25  57  D2  3C  97 

21 

oo  00  04  00  00  00  00  00 

12  A9  F5  81  7FF2D6  5D 

ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

22 

00  00  02  00  00  00  00  00 

A4  84  C3  AD  38  DC  9C  19 

23 

00  00  01  00  00  00  00  00 

FB  E0  0A  8A  IE  F8  AD  72 

24 

00  00  00  80  00  00  00  00 

75  0D  07  94  07  52  13  63 

25 

oo  00  00  40  00  00  00  00 

64  FE  ED  9C  72  4C  2F  AF 

26 

00  00  00  20  00  00  00  00 

F0  2B  26  3B  32  8E  2B  60 

27 

00  00  00  10  00  00  00  00 

9D  64  55  5A  9A  10  B8  52 

28 

00  00  00  08  00  00  00  00 

D1  06  FF  OB  ED  52  55  D7 

29 

oo  00  00  04  00  00  00  00 

El  65  2C  6B  13  8C  64  A5 

30 

00  00  00  02  00  00  00  00 

E4  28  58  1 1  86  EC  8F  46 

31 

00  00  00  01  00  00  00  00 

AE  B5  F5  ED  E2  2D  1A  36 

32 

00  00  00  00  80  00  00  00 

E9  43  D7  56  8A  EC  OC  5C 

33 

00  00  00  00  40  00  00  00 

DF  98  C8  27  6F  54  BO  4B 

34 

00  00  00  00  20  00  00  00 

B1  60  E4  68  OF  6C  69  6F 

35 

00  00  00  00  10  00  00  00 

FA  07  52  BO  7D  9C  4A  B8 

36 

00  00  00  00  08  00  00  00 

CA  3A  2B  03  6D  BC  85  02 

ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

37 

00  00  00  00  04  00  00  00 

5E  09  05  51  7B  B5  9B  CF 

38 

00  00  00  00  02  00  00  00 

81  4E  EB  3B91  D9  07  26 

39 

00  00  00  00  01  00  00  00 

4D  49  DB  15  32  91  9C  9F 

40 

00  00  00  00  00  80  00  00 

25  EB  5FC3F8  CF  06  21 

41 

00  00  00  00  00  40  00  00 

AB  6A  20  CO  62  0D  1C  6F 

42 

00  00  00  00  00  20  00  00 

79  E9  0D  BC  98  F9  2C  CA 

43 

00  00  00  00  00  10  00  00 

86  6E  CE  DD  80  72  BB  OE 

44 

00  00  00  00  00  08  00  00 

8B  54  53  6F  2F  3E  64  A8 

45 

00  00  00  00  00  04  00  00 

EA  51  D3  97  55  95  B8  6B 

46 

00  00  00  00  00  02  00  00 

CA  FF  C6  AC  45  42  DE  31 

47 

00  00  00  00  00  01  00  00 

8D  D4  5A  2D  DF  90  79  6C 

48 

00  00  00  00  00  00  80  00 

10  29  D5  5E  88  OE  C2  DO 

49 

00  00  00  00  00  00  40  00 

5D  86  CB  23  63  9D  BE  A9 

50 

00  00  00  00  00  00  20  00 

ID  1C  A8  53  AE  7C  OC  5F 

51 

00  00  00  00  00  00  10  00 

CE  33  23  29  24  8F  32  28 

ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

52 

00  00  00  00  00  00  08  00 

84  05  D1  AB  E2  4F  B9  42 

53 

00  00  00  00  00  00  04  00 

E6  43  D7  80  90  CA  42  07 

54 

00  00  00  00  00  00  02  00 

48  22  IB  99  37  74  8A  23 

55 

00  00  00  00  00  00  01  00 

DD  7C  OB  BD  61  FA  FD  54 

56 

00  00  00  00  00  00  00  80 

2F  BC  29  1A  57  0D  B5  C4 

57 

00  00  00  00  00  00  00  40 

E0  1C  30  D7  E4  E2  6E  12 

58 

00  00  00  00  00  00  00  20 

09  53  E2  25  8E  8E  90  A1 

59 

00  00  00  00  00  00  00  10 

5B  71  IB  C4CEEB  F2  EE 

60 

00  00  00  00  00  00  00  08 

CC  08  3F  IE  6D  9E  85  F6 

61 

00  00  00  00  00  00  00  04 

D2  FD  88  67  D5  0D  2D  FE 

62 

00  00  00  00  00  00  00  02 

06  E7  EA  22  CE  92  70  8F 

63 

00  00  00  00  00  00  00  01 

16  6B  40  B4  4A  BA  4B  D6 

Table  A.2  Resulting  Ciphertext  from  the  Variable  Key  Known  Answer  Test 

for  the  TECB,  TCBC,  TCFB,  and  TOFB  Modes  of  Operation 

(NOTE  —  Plaintext/text  =  00  00  00  00  00  00  00  00  and,  where  applicable,  IV  =  00  00  00  00  00  00  00  00) 


ROUND 

KEY 

CIPHERTEXT 

0 

80  01  01  01  01  01  01  01 

95  A8  D7  28  13  DAA9  4D 

1 

40  01  01  01  01  01  01  01 

0E  EC  14  87  DD  8C  26  D5 

2 

20  01  01  01  01  01  01  01 

7AD1  6FFB79  C4  59  26 

3 

10  01  01  01  01  01  01  01 

D3  74  62  94  CA  6A  6C  F3 

4 

08  01  01  01  01  01  01  01 

80  9F  5F  87  3C  1FD7  61 

5 

04  01  01  01  01  01  01  01 

CO  2F  AF  FE  C9  89  D1  FC 

6 

02  01  01  01  01  01  01  01 

46  15  AA  ID  33  E7  2F  10 

7 

01  80  01  01  01  01  01  01 

20  55  12  33  50  CO  08  58 

8 

01  40  01  01  01  01  01  01 

DF  3B  99  D6  57  73  97  C8 

9 

01  20  01  01  01  01  01  01 

31  FE  17  36  9B  52  88  C9 

10 

01  10  01  01  01  01  01  01 

DF  DD  3C  C6  4D  AE  16  42 

11 

01  08  01  01  01  01  01  01 

17  8C  83  CE  2B  39  9D  94 

ROUND 

KEY 

CIPHERTEXT 

12 

01  04  01  01  01  01  01  01 

50  F6  36  32  4A  9B  7F  80 

13 

01  02  01  01  01  01  01  01 

A8  46  8E  E3  BC  18F0  6D 

14 

01  01  80  01  01  01  01  01 

A2  DC  9E  92  FD  3C  DE  92 

15 

01  01  40  01  01  01  01  01 

CA  CO  9F  79  7D  03  12  87 

16 

01  01  20  01  01  01  01  01 

90  BA  68  OB  22  AE  B5  25 

17 

01  01  10  01  01  01  01  01 

CE  7 A  24  F3  50  E2  80  B6 

18 

01  01  08  01  01  01  01  01 

88  2B  FF  OA  AO  1A  OB  87 

19 

01  01  04  01  01  01  01  01 

25  61  02  88  92  45  11  C2 

20 

01  01  02  01  01  01  01  01 

C7  15  16  C2  9C  75  D1  70 

21 

01  01  01  80  01  01  01  01 

51  99  C2  9A  52  C9  FO  59 

22 

01  01  01  40  01  01  01  01 

C2  2F  OA  29  4A71  F2  9F 

23 

01  01  01  20  01  01  01  01 

EE  37  14  83  71  4C  02  EA 

24 

01  01  01  10  01  01  01  01 

A8  IF  BD  44  8F  9E  52  2F 

25 

01  01  01  08  01  01  01  01 

4F  64  4C  92  El  92  DF  ED 

26 

01  01  01  04  01  01  01  01 

1A  FA  9A  66  A6  DF  92  AE 

27 

01  01  01  02  01  01  01  01 

B3C1CC715CB8  79D8 

ROUND 

KEY 

CIPHERTEXT 

28 

01  01  01  01  80  01  01  01 

19  DO  32  E6  4A  BO  BD  8B 

29 

01  01  01  01  40  01  01  01 

3C  FA  A7  A7  DC  87  20  DC 

30 

01  01  01  01  20  01  01  01 

B7  26  5F  7F  44  7A  C6  F3 

31 

01  01  01  01  10  01  01  01 

9DB7  3B  3C  OD  16  3F  54 

32 

01  01  01  01  08  01  01  01 

81  81  B6  5B  ABF4A9  75 

33 

01  01  01  01  04  01  01  01 

93  C9  B6  40  42  EA  A2  40 

34 

01  01  01  01  02  01  01  01 

55  70  53  08  29  70  55  92 

35 

01  01  01  01  01  80  01  01 

86  38  80  9E  87  87  87  AO 

36 

01  01  01  01  01  40  01  01 

41  B9  A7  9A  F7  9A  C2  08 

37 

01  01  01  01  01  20  01  01 

7 A  9B  E4  2F  20  09  A8  92 

38 

01  01  01  01  01  10  01  01 

29  03  8D  56  BA  6D  27  45 

39 

01  01  01  01  01  08  01  01 

54  95  C6  AB  FI  E5  DF51 

40 

01  01  01  01  01  04  01  01 

AE  13  DB  D5  61  48  89  33 

41 

01  01  01  01  01  02  01  01 

02  4D  IF  FA  89  04  E3  89 

42 

01  01  01  01  01  01  80  01 

D1  39  97  12F9  9B  FO  2E 

43 

01  01  01  01  01  01  40  01 

14  Cl  D7C1  CFFEC7  9E 

ROUND 

KEY 

CIPHERTEXT 

44 

01  01  01  01  01  01  20  01 

ID  E5  27  9D  AE  3B  ED  6F 

45 

01  01  01  01  01  01  10  01 

E9  41  A3  3F  85  50  13  03 

46 

01  01  01  01  01  01  08  01 

DA  99  DB  BC  9A  03  F3  79 

47 

01  01  01  01  01  01  04  01 

B7  FC  92  F9  ID  8E  92  E9 

48 

01  01  01  01  01  01  02  01 

AE  8E  5C  AA  3C  AO  4E  85 

49 

01  01  01  01  01  01  01  80 

9C  C6  2D  F4  3B  6E  ED  74 

50 

01  01  01  01  01  01  01  40 

D8  63  DB  B5  C5  9A91  AO 

51 

01  01  01  01  01  01  01  20 

A1  AB  21  90  54  5B91  D7 

52 

01  01  01  01  01  01  01  10 

08  75  04  IE  64  C5  70  F7 

53 

01  01  01  01  01  01  01  08 

5A  59  45  28  BE  BE  FI  CC 

54 

01  01  01  01  01  01  01  04 

FC  DB  32  91  DE  21  FO  CO 

55 

01  01  01  01  01  01  01  02 

86  9E  FD  7F  9F  26  5A  09 

Table  A.3  Values  To  Be  Used  for  the  Permutation  Operation  Known  Answer  Test 

for  the  TECB,  TCBC,  TCFB,  and  TOFB  Modes  of  Operation 

-  P/TEXT  =  00  00  00  00  00  00  00  00  for  each  round 

where  applicable,  IV  =  00  00  00  00  00  00  00  00. 


ROUND 

KEY 

C/RESULT 

0 

10  46  91  34  89  98  01  31 

88  D5  5E  54  F5  4C  97  B4 

1 

10  07  10  34  89  98  80  20 

0C  0C  CO  0C  83  EA  48  FD 

2 

10  07  10  34  C8  98  01  20 

83  BC  8E  F3  A6  57  01  83 

3 

10  46  10  34  89  98  80  20 

DF  72  5D  CA  D9  4E  A2  E9 

4 

10  86  91  15  19  19  01  01 

E6  52  B5  3B  55  0B  E8  B0 

5 

10  86  91  15  19  58  01  01 

AF  52  7 1  20  C4  85  CB  B0 

6 

51  07  B0  15  19  58  01  01 

OF  04  CE  39  3D  B9  26  D5 

7 

10  07  B0  15  19  19  01  01 

C9  F0  OF  FC  74  07  90  67 

8 

31  07  91  54  98  08  01  01 

7C  FD  82  A5  93  25  2B  4E 

9 

31  07  91  94  98  08  01  01 

CB  49  A2  F9  E9  13  63  E3 

10 

10  07  91  15  B9  08  01  40 

00  B5  88  BE  70  D2  3F  56 

IT* 


ROUND 

KEY 

C/RESULT 

11 

31  07  91  15  98  08  01  40 

40  6A  9  A  6A  B4  33  99  AE 

12 

10  07  DO  15  89  98  01  01 

6C  B7  73  61  ID  CA  9A  DA 

13 

91  07  91  15  89  98  01  01 

67  FD  21  Cl  7DBB  5D  70 

14 

91  07  DO  15  89  19  01  01 

95  92  CB  41  10  43  07  87 

15 

10  07  DO  15  98  98  01  20 

A6B7FF68  A3  18  DD  D3 

16 

10  07  94  04  98  19  01  01 

4D  10  21  96  C9  14  CA  16 

17 

01  07  91  04  91  19  04  01 

2D  FA  9F  45  73  59  49  65 

18 

01  07  91  04  91  19  01  01 

B4  66  04  81  6C  OE  07  74 

19 

01  07  94  04  91  19  04  01 

6E  7E  62  21  A4  F3  4E  87 

20 

19  07  92  10  98  1A01  01 

AA  85  E7  46  43  23  31  99 

21 

10  07  91  19  98  19  08  01 

2E  5A  19  DB  4D  19  62  D6 

22 

10  07  91  19  98  1A  08  01 

23  A8  66  A8  09  D3  08  94 

23 

10  07  92  10  98  19  01  01 

D8  12  D9  61  FO  17  D3  20 

24 

10  07  91  15  98  19  01  OB 

05  56  05  81  6E58  60  8F 

25 

10  04  80  15  98  19  01  01 

AB  D8  8E  8B  IB  77  16  FI 

26 

10  04  80  15  98  19  01  02 

53  7 A  C9  5B  E6  9DA1  El 

ROUND 

KEY 

C/RESULT 

27 

10  04  80  15  98  19  01  08 

AE  DO  F6  AE  3C  25  CD  D8 

28 

10  02  91  15  98  10  01  04 

B3  E3  5A  5E  E5  3E  7B  8D 

29 

10  02  91  15  98  19  01  04 

61  C7  9C  71  92  1A  2E  F8 

30 

10  02  91  15  98  10  02  01 

E2  F5  72  8F  09  95  01  3C 

31 

10  02  91  16  98  10  01  01 

1A  EA  C3  9A  61  F0  A4  64 

Table  A.4  Values  To  Be  Used  for  the  Substitution  Table  Known  Answer  Test 
for  the  TECB,  TCBC,  TCFB,  and  TOFB  Modes  of  Operation 


ROUND 

KEY 

P/TEXT 

C/RESULT 

0 

7C  A1  10  45  4A  1A  6E  57 

01  A1  D6  DO  39  77  67  42 

69  OF  5B  0D  9A  26  93  9B 

1 

01  31  D9  61  9DC1  37  6E 

5C  D5  4C  A8  3D  EF  57  DA 

7 A  38  9D  10  35  4B  D2  71 

2 

07  A1  13  3E4A0B  26  86 

02  48  D4  38  06  F6  71  72 

86  8E  BB51CAB4  59  9A 

3 

38  49  67  4C  26  02  31  9E 

51  45  4B  58  2D  DF44  0A 

71  78  87  6E01  FI  9B  2A 

4 

04  B9  15  BA  43  FE  B5  B6 

42  FD  44  30  59  57  7F  A2 

AF  37  FB  42  IF  8C  40  95 

5 

01  13  B9  70FD34F2CE 

05  9B  5E  08  51  CF14  3A 

86  A5  60  FI  0E  C6  D8  5B 

6 

01  70  FI  75  46  8F  B5  E6 

07  56  D8  E0  77  47  61  D2 

0C  D3  DA  02  00  21  DC  09 

7 

43  29  7F  AD  38  E3  73  FE 

76  25  14  B8  29  BF  48  6A 

EA  67  6B  2C  B7  DB  2B  7A 

8 

07  A7  13  70  45  DA2A  16 

3B  DD  1 1  90  49  37  28  02 

DF  D6  4A81  5C  AF  1A0F 

9 

04  68  91  04  C2  FD  3B  2F 

26  95  5F  68  35  AF  60  9A 

5C513C  9C  48  86  CO  88 

10 

37  DO  6B  B5  16  CB  75  46 

16  4D  5E  40  4F  27  52  32 

0A  2A  EE  AE  3F  F4  AB  77 

11 

IF  08  26  0D  1A  C2  46  5E 

6B  05  6E  18  75  9F  5C  CA 

EF  IB  F0  3E  5D  FA  57  5A 

12 

58  40  23  64  1A  BA  61  76 

00  4B  D6  EF  09  17  60  62 

88  BF  0D  B6  D7  0D  EE  56 

13 

02  58  16  16  46  29  B0  07 

48  0D  39  00  6E  E7  62  F2 

A1  F9  91  55  41  02  0B  56 

ROUND 

KEY 

P/TEXT 

C/RESULT 

14 

49  79  3E  BC  79  B3  25  8F 

43  75  40  C8  69  8F  3C  FA 

6F  BF  1C  AF  CF  FD  05  56 

15 

4FB0  5E  15  15  AB  73  A7 

07  2D  43  AO  77  07  52  92 

2F  22  E4  9B  AB  7C  A1  AC 

16 

49  E9  5D  6D  4C  A2  29  BF 

02  FE  55  77  81  17  FI  2A 

5A  6B  61  2C  C2  6C  CE  4A 

17 

01  83  10  DC  40  9B  26  D6 

1D9D  5C  50  18  F7  28  C2 

5F  4C  03  8ED1  2B  2E41 

18 

1C  58  7F  1C  13  92  4FEF 

30  55  32  28  6D  6F  29  5A 

63  FA  CO  DO  34  D9  F7  93 

Table  A.5  Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test  for  TCBC-I  Mode  of  Operation 

(NOTE  -  KEY1  =  KEY2  =  KEY3  =  01  01  01  01  01  01  01  01 


IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 

INPUTBLOCK  1 

CIPHERTEXT1 

INPUTBLOCK  2 

CIPHERTEXT2 

INPUTBLOCK  3 

CIPHERTEXT3 

0 

8000000000000000 

95f8a5e5dd31d900 

d555555555555555 

f7552ab6cb21e2bc 

2aaaaaaaaaaaaaaa 

5a48d3de869557fd 

1 

4000000000000000 

dd7fl21ca5015619 

1555555555555555 

e0c2aflebd89a262 

eaaaaaaaaaaaaaaa 

fl5ee2019a5b547c 

i  2 

2000000000000000 

2e8653 104f3834ea 

7555555555555555 

05b865ale49edl09 

8aaaaaaaaaaaaaaa 

3bee595ef8603 1 6a 

3 

1000000000000000 

4bd3  8 8ff6cd8 1  d4f 

4555555555555555 

b447 3 1 3fc704d32 1 

baaaaaaaaaaaaaaa 

f6089ca9b7227 65c 

4 

0800000000000000 

20b9e767b2fbl456 

5d55555555555555 

c39193d42381b313 

a2aaaaaaaaaaaaaa 

af  1 5  a8e9b2c 1 4de5 

5 

0400000000000000 

55579380d77138ef 

5155555555555555 

6a2afdae  1 8  8494b8 

aeaaaaaaaaaaaaaa 

45089 1 861 80bd59 1 

6 

0200000000000000 

6cc5defaaf04512f 

5755555555555555 

1359f4d663a3209c 

a8aaaaaaaaaaaaaa 

280d3ae3a00cfbc9 

7 

0100000000000000 

0d9f279ba5d87260 

5455555555555555 

4a035e6a81dl314b 

abaaaaaaaaaaaaaa 

d27eb94e56c3172a 

8 

0080000000000000 

d903 1 b027 1 bd5a0a 

55d5555555555555 

4334b5felb7f5320 

aa2aaaaaaaaaaaaa 

b0555ab990b7e95c 

9 

0040000000000000 

424250b37c3dd95 1 

5515555555555555 

f4 1 a29e0d3 1 1 07b4 

aaeaaaaaaaaaaaaa 

f54f2bd8e2eb2bc6 

10 

0020000000000000 

b8061b7ecd9a21e5 

5575555555555555 

c8eb2e340855325b 

aa8aaaaaaaaaaaaa 

d51 175259c607fb4 

273 


ROUND 

INPUTBLOCK  1 

CIPHERTEXT1 

INPUTBLOCK  2 

CIPHERTEXT2 

INPUTBLOCK  3 

CIPHERTEXT3 

i  11 

0010000000000000 

fl5d0f286b65bd28 

5545555555555555 

b75847a2f3f2458a 

aabaaaaaaaaaaaaa 

72ea3aadb569af43 

12 

0008000000000000 

add0cc8d6e5debal 

555d555555555555 

be43 3af4c5  ae0f97 

aaa2aaaaaaaaaaaa 

9b003 1 5 1 e8602b7d 

13 

0004000000000000 

e6d5f82752ad63d  1 

5551555555555555 

f68101dl25e2e284 

aaaeaaaaaaaaaaaa 

fcl463bb9bba9el 1 

14 

0002000000000000 

ecbfe3bd3f591a5e 

5557555555555555 

fa5 1 0732fa87 1 094 

aaa8aaaaaaaaaaaa 

65f94c59c59b06e 1 

15 

0001000000000000 

f356834379d 1 65cd 

5554555555555555 

458d97a8b6ebd0d7 

aaabaaaaaaaaaaaa 

fbcfc086f81 11572 

16 

0000800000000000 

2b9f9 82f20037fa9 

5555d55555555555 

f4169ca3fc6799ed 

aaaa2aaaaaaaaaaa 

68c9e70b9de8db79 

17 

0000400000000000 

889de068al6f0be6 

5555155555555555 

f47b9f0 1  a5ee74e9 

aaaaeaaaaaaaaaaa 

63fc8ec  1421 399b8 

1  18 

0000200000000000 

el9e275d846al298 

5555755555555555 

ee26a403caca387d 

aaaa8aaaaaaaaaaa 

3fldl0e9ala44a92 

19 

0000100000000000 

329a8ed523d7 laec 

5555455555555555 

af7  e5  ad  1  d9f4ecf8 

aaaabaaaaaaaaaaa 

e3f663de44003f9b 

20 

0000080000000000 

e7fce22557d23c97 

55555d5555555555 

bb04e854f99f6352 

aaaaa2aaaaaaaaaa 

bc2452fdl 3e00dcc 

21 

0000040000000000 

12a9f5817ff2d65d 

5555515555555555 

01f57ble69290d90 

aaaaaeaaaaaaaaaa 

4432allelc320e7a 

22 

0000020000000000 

a484c3  ad3  8dc9c 1 9 

5555575555555555 

8ae9dee849b46527 

aaaaa8aaaaaaaaaa 

ale9e67fl3f932b3 

23 

0000010000000000 

fbe00a8a 1 ef 8ad72 

5555545555555555 

cb7 06efba6b5 1 1  Oe 

aaaaabaaaaaaaaaa 

6fdld0793clb7af2 

24 

0000008000000000 

750d079407521363 

555555d555555555 

b8b27dl286bdbb26 

aaaaaa2aaaaaaaaa 

3d2c39f9d26b5  89e 

1  25 

0000004000000000 

64feed9c7 24c2faf 

5555551555555555 

9862c9d770558095 

aaaaaaeaaaaaaaaa 

e3  a7  abc  881 32ad7 d 

26 

0000002000000000 

f02b263b328e2b60 

5555557555555555 

a213c5c56fdcal39 

aaaaaa8aaaaaaaaa 

08cd945738a222c8 

274 


ROUND 

INPUTBLOCK  1 

CIPHERTEXT1 

INPUTBLOCK  2 

CIPHERTEXT2 

INPUTBLOCK  3 

CIPHERTEXT3 

27 

0000001000000000 

9d64555a9al0b852 

5555554555555555 

a3bebc0e23ab87f2 

aaaaaabaaaaaaaaa 

568fa34d2fc7225e 

28 

0000000800000000 

dl06ff0bed5255d7 

5555555d55555555 

c32c 1 9229d84e2b4 

aaaaaaa2aaaaaaaa 

377 1 887d7266b49d 

29 

0000000400000000 

e 1 652c6b 1 3  8c64a5 

5555555155555555 

e628ceae5cb3bb34 

aaaaaaaeaaaaaaaa 

edd6029a6b80a442 

30 

0000000200000000 

e428581 186ec8f46 

5555555755555555 

5924454953ad5732 

aaaaaaa8aaaaaaaa 

03 1 3da097 aec4a43 

31 

0000000100000000 

aeb5f5ede22d  1  a36 

5555555455555555 

7cc987f5fb33b813 

aaaaaaabaaaaaaaa 

9 1  f5b30f0 1 5b4a54 

32 

0000000080000000 

e943d7568aec0c5c 

55555555d5555555 

88e3dd 1 448c4e0ff 

aaaaaaaa2aaaaaaa 

1 e60759f03 8beec 1 

33 

0000000040000000 

df9  8c 827 6f54b04b 

5555555515555555 

a49d286e5dfc6 1 43 

aaaaaaaaeaaaaaaa 

97061 6993 83bbfe0 

34 

0000000020000000 

b 1 60e4680f6c696f 

5555555575555555 

a5206a311e9c2515 

aaaaaaaa8aaaaaaa 

311f3c96e071fl73 

35 

0000000010000000 

fa0752b07  d9c4ab  8 

5555555545555555 

b6e4686a8b957cf2 

aaaaaaaabaaaaaaa 

1 a6849edcb7 0 1 b07 

36 

0000000008000000 

ca3a2b036dbc8502 

555555555d555555 

af 1 2004 1 8fd3  7  fdd 

aaaaaaaaa2aaaaaa 

fa5b2fa26d03558b 

37 

0000000004000000 

5e09055 1 7bb59bcf 

5555555551555555 

487deccf0fde5b8  8 

aaaaaaaaaeaaaaaa 

bcaa0b7b7b3464c5 

38 

0000000002000000 

8 1 4eeb3b9 1 d90726 

5555555557555555 

456al865905ed57d 

aaaaaaaaa8aaaaaa 

3d245b501c6abb74 

39 

0000000001000000 

4d49db 153291 9c9f 

5555555554555555 

3e2601fa20895e62 

aaaaaaaaabaaaaaa 

62133d9330e2e86b 

40 

0000000000800000 

25eb5fc3f8cf062 1 

5555555555d55555 

58da89972266a7e3 

aaaaaaaaaa2aaaaa 

5d7d6bd225890b4d 

41 

0000000000400000 

ab6a20c0620d 1 c6f 

5555555555155555 

feacal7e5dd05c87 

aaaaaaaaaaeaaaaa 

db36baba70c3b9af 

42 

0000000000200000 

79e90dbc98f92cca 

5555555555755555 

88249b73e99c5ac0 

aaaaaaaaaa8aaaaa 

a2f5ea90c2 1 79ab4 
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ROUND 

INPUTBLOCK  1 

CIPHERTEXT1 

INPUTBLOCK  2 

CIPHERTEXT2 

INPUTBLOCK  3 

CIPHERTEXT3 

43 

0000000000100000 

866ecedd8072bb0e 

5555555555455555 

5f8add87 84cc3 174 

aaaaaaaaaabaaaaa 

70470a07cb34el09 

44 

0000000000080000 

8b54536f2f3e64a8 

55555555555d5555 

cd8dc942ae2bbl75 

aaaaaaaaaaa2aaaa 

65961 0094ab3  824e 

45 

0000000000040000 

ea51d3975595b86b 

5555555555515555 

cf8442863e68e644 

aaaaaaaaaaaeaaaa 

26e6223634c857a3 

46 

0000000000020000 

caffc6ac4542de3 1 

5555555555575555 

16952dc89c0acd65 

aaaaaaaaaaa8aaaa 

ddd0a647be9604 1 f 

47 

0000000000010000 

8dd45a2ddf90796c 

5555555555545555 

8a4fca2b00c49807 

aaaaaaaaaaabaaaa 

3632 1 9d  8cec5  a9f3 

|  48 

0000000000008000 

1029d55e880ec2d0 

555555555555d555 

b40225 aea 1 2 1 c  8d3 

aaaaaaaaaaaa2aaa 

bb5710f9dc8dde46 

49 

0000000000004000 

5d86cb23639dbea9 

5555555555551555 

711c066cl3222flc 

aaaaaaaaaaaaeaaa 

ae527ed311a25ea2 

50 

0000000000002000 

Idlca853ae7c0c5f 

5555555555557555 

4fb69c832db68026 

aaaaaaaaaaaa8aaa 

af94496800a32656 

51 

0000000000001000 

ce332329248f3228 

5555555555554555 

f24c7444edf  1  c394 

aaaaaaaaaaaabaaa 

c55d7544aleae274 

52 

0000000000000800 

8405dlabe24fb942 

5555555555555d55 

6be457abc51 le87c 

aaaaaaaaaaaaa2aa 

9ba49db25 1748896 

53 

0000000000000400 

e643d78090ca4207 

5555555555555155 

6136fefebb0c81 18 

aaaaaaaaaaaaaeaa 

3dl9267de9cl2e7b 

54 

0000000000000200 

48221b9937748a23 

5555555555555755 

d23a8dfe39c98883 

aaaaaaaaaaaaa8aa 

5ce84637532650c8 

55 

0000000000000100 

dd7c0bbd61fafd54 

5555555555555455 

afe2e34f009924e2 

aaaaaaaaaaaaabaa 

d4394 1 ab72932bb0 

56 

0000000000000080 

2fbc291a570db5c4 

55555555555555d5 

0adcf552ec  1 754c6 

aaaaaaaaaaaaaa2a 

8 1 6c454ba7 894865 

57 

0000000000000040 

e07c30d7e4e26el2 

5555555555555515 

c06e80c5238135bb 

aaaaaaaaaaaaaaea 

74bc744f  1 0f63  889 

58 

0000000000000020 

0953e2258e8e90al 

5555555555555575 

0912754e7c42f637 

aaaaaaaaaaaaaa8a 

3d2565d9bf62cdbd 

276 


ROUND 

INPUTBLOCK  1 

CIPHERTEXT1 

INPUTBLOCK  2 

CIPHERTEXT2 

INPUTBLOCK  3 

CIPHERTEXT3 

59 

0000000000000010 

5b7 1  Ibc4ceebf2ee 

5555555555555545 

b4f82967c658adb8 

aaaaaaaaaaaaaaba 

a2e 1 3c5 70 1 a60444 

60 

0000000000000008 

cc083fle6d9e85f6 

555555555555555d 

006fal2a796ac4d3 

aaaaaaaaaaaaaaa2 

cbe2873fd6f63048 

61 

0000000000000004 

d2fd8867d50d2dfe 

5555555555555551 

1 a4a3 646 1 6460d44 

aaaaaaaaaaaaaaae 

cc6adceflbe975ef 

62 

0000000000000002 

06e7ea22ce92708f 

5555555555555557 

f307b5bcd44f3d8d 

aaaaaaaaaaaaaaa8 

99 Id770b2bf05 ldc 

63 

0000000000000001 

1 66b40b44aba4bd6 

5555555555555554 

9cb Ic3932c005c49 

aaaaaaaaaaaaaaab 

17d8e9c374dl 4494 

277 


Table  A.6  Resulting  Ciphertext  from  the  Inverse  Permutation  Known  Answer  Test  for  TCBC-I  Mode  of  Operation 

(Encryption  Process) 


(NOTE  -  KEY1  =  KEY2  =  KEY3  =  01  01  01  01  01  01  01  01 
IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 

PLAINTEXT1 

CIPHERTEXT1 

PLAINTEXT2 

CIPHERTEXT2 

PLAINTEXT3 

CIPHERTEXT3  ! 

0 

95f8a5e5dd31d900 

8000000000000000 

f7 552ab6cb2 1  e2bc 

713d058fe58a43f7 

5a48d3de869557fd 

e4999d5c3cceee44 

1 

dd7fl21ca5015619 

4000000000000000 

e0c2af  1  ebd89a262 

0ac7 60c0 1 e5927ef 

f  1 5ee20 1 9a5b547c 

accdl5b5dde0b5c2  i 

2 

2e8653104f3834ea 

2000000000000000 

05b865 a 1 e49ed 1 09 

3631 30ca94da9d8a 

3bee595ef8603 16a 

697 3 2f 3  dbb5 65 2b  1  i 

4bd388ff6cd81d4f 

1000000000000000 

b447 3 1 3fc704d32 1 

1  e  1 4d9 1 09bc  1  f46c 

f6089ca9b722765c 

ace935al 15450a05  i 

4 

20b9e767b2fbl456 

0800000000000000 

c39193d42381b313 

6a46ef972da6a833 

af  1 5a8e9b2c 1 4de5 

clb2f69f9a21090d  | 

5 

55579380d77138ef 

0400000000000000 

6a2afdae  1 88494b8 

330aec7886295 181 

450891 86 180bd591 

a8f987e6d0d3af25  i 

6 

6cc5defaaf045 1 2f 

0200000000000000 

1359f4d663a3209c 

e5 1 8b 1 54c8b8c8a6 

280d3ae3a00cfbc9 

87f0fbcb6b40af68  ! 

7 

0d9f279ba5d87260 

0100000000000000 

4a035e6a8 1  d  1 3 1 4b 

8decl 19b560a53d0 

d27eb94e56c3172a 

6aa899298c76715b 

8 

d903 lb027 Ibd5a0a 

0080000000000000 

4334b5felb7f5320 

d8807ced29f8f8d  1 

b0555ab990b7e95c 

7fl7a4e7532b04f9 

9 

424250b37c3dd95 1 

0040000000000000 

f4 1  a29e0d3 1 1 07b4 

dbe8eba35e2a295b 

f54f2bd8e2eb2bc6 

5c899d0cf0f8al35  i 

10 

b8061b7ecd9a21e5 

0020000000000000 

c8eb2e340855325b 

fa5b70dlb836e88d 

d5 1 175259c607fb4 

7266 1 6043 a 1 cO 1 07 

11 

fl5d0f286b65bd28 

0010000000000000 

b75847a2f3f2458a 

4be2d4ffa6f22 133 

72ea3aadb569af43 

ba0432be3b5bb6f8  1 

12 

add0cc8d6e5deba 1 

0008000000000000 

be43 3 af4c5  ae0f97 

b85a5c395b3a5885 

9b003151e8602b7d 

e40807 eal3ddl09e 

13 

e6d5f82752ad63d  1 

0004000000000000 

f68 1 0 1  d  1 25e2e284 

9f65cff48d26c25  8 

fc  1 463bb9bba9e  1 1 

7851707ef934aa75 

14 

ecbfe3bd3f59 1  a5e 

0002000000000000 

fa5 1 0732fa87 1 094 

40e88 1 3c7 1 8539ac 

65f94c59c59b06e  1 

d51aab52aa37dc8d 

15 

f356834379dl65cd 

0001000000000000 

45  8d97a8b6ebd0d7 

289a7729f22d7703 

fbcfc086f81 1 1572 

266e7b0862cf5fc2 

16 

2b9f982f20037fa9 

0000800000000000 

f4 1 69ca3fc6799ed 

al Ib556e8clb26c5 

68c9e70b9de  8db7  9 

aedab27 4b2ef  1 5c9  ! 

17 

889de068a 1 6f0be6 

0000400000000000 

f47b9f0 1  a5ee74e9 

3683a86916c7bl Id 

63fc8ec  142 1 399b8 

80fbb25 39dd96d8f 

18 

el9e275d846al298 

0000200000000000 

ee26a403caca387d 

9f073f4f068f3d0e 

3fldl0e9ala44a92 

498437929c6ccf59  ! 

19 

329a8ed523d7 1 aec 

0000100000000000 

af7e5adld9f4ecf8 

077 12fl96c02eb9b 

e3f663de44003f9b 

c4ebb01e305e41e2  1 

e7fce22557d23c97 

0000080000000000 

bb04e854f99f6352 

93141 266 15626c01 

bc2452fd  1 3e00dcc 

82fb4a9ce4c928 1 8  1 

12a9f5817ff2d65d 

0000040000000000 

0 1  f57b 1 e69290d90 

b695 8 1 70aba3 84c9 

4432a 1 Ielc320e7a 

9 1 239239e22f0280 

a484c3  ad3  8dc9c 1 9 

0000020000000000 

8ae9dee849b46527 

3bb724cf5e35707d 

ale9e67fl3f932b3 

cc30662b5 1 d40c 1 a  ! 

fbe00a8a  1  ef8ad72 

0000010000000000 

cb7 06efba6b5 1 1  Oe 

9felafb876cdb756 

6fdld0793clb7af2 

8e67cf5371a467a2  I 

750d079407521363 

0000008000000000 

b8b27  d 1 286bdbb26 

Idb03e2b95785d8a 

3d2c39f9d26b589e 

6e79366486097eba 

278 


ROUND 

PLAINTEXT1 

CIPHERTEXT1 

PLAINTEXT2 

CIPHERTEXT2 

PLAINTEXT3 

CIPHERTEXT3 

64feed9c7 24c2faf 

0000004000000000 

9862c9d770558095 

ea4e26 1 44ada8e2b 

e3a7abc88132ad7d 

ce297 1 05509 1 al af 

f02b263b328e2b60 

0000002000000000 

a2 1 3c5c56fdca  139 

97255bd98b5ed9b3 

08cd945738a222c8 

252e33166953cd68 

27 

9d64555a9al0b852 

0000001000000000 

a3bebc0e23  ab87  f2 

85  a52d6656cf 1 3be 

568fa34d2fc7225e 

39a97 13 1739 1242b 

dl06ff0bed5255d7 

0000000800000000 

c32c 1 9229d84e2b4 

6965b2633fbe37a8 

3771887d7266b49d 

d95  a7aa0bec4fa7a 

e 1 652c6b 1 3  8c64a5 

0000000400000000 

e628ceae5cb3bb34 

0e83 1 7 ae44e3caa0 

edd6029a6b80a442 

4dfdcc7a4279b2c0  | 

e42858 1 1 86ec8f46 

0000000200000000 

5924454953ad5732 

567efb50dc99f5dc 

03 1 3da097 aec4a43 

96bb89c94 1 63 1 bed 

aeb5f5ede22d  1  a36 

0000000100000000 

7cc987f5fb33b813 

46814855930b3a3f 

91f5b30f015b4a54 

Ic3ba8fbadab9a22  1 

e943d7568aec0c5c 

0000000080000000 

88e3dd  1 448c4e0ff 

a77142eabd2bd877 

1 e607 59f038beec 1 

8fc77798b  1 692ab2  | 

df9  8c 8276f5  4b04b 

0000000040000000 

a49d286e5dfc6 143 

76395f51bdf699db 

97061699383bbfe0 

ace5681dfba69ceb  | 

b  1 60e4680f6c696f 

0000000020000000 

a5206a3 1 1 e9c25 1 5 

c3e20437ad6c32b7 

311f3c96e071fl73 

782058f728c21 174 

fa0752b07d9c4ab8 

0000000010000000 

b6e4686a8b957cf2 

34cfbfca8df5fb9d 

1 a6849edcb70 1 b07 

fc  1 4dafe9d  1 7 1  db5 

ca3a2b036dbc8502 

0000000008000000 

af 1 2004 1 8fd37fdd 

b372320762d438f8 

fa5b2fa26d03558b 

3391 8993 lada4474 

5e09055 1 7bb59bcf 

0000000004000000 

487deccf0fde5b88 

882402b6dec6675f 

bcaa0b7b7b3464c5 

c6dlf875363bf7ea  | 

8 1 4eeb3b9 1 d907 26 

0000000002000000 

456al865905ed57d 

69el758b520187d4 

3d245b50 1 c6abb7 4 

3 1 097d93 1 da2e7bd 

4d49db 1 5 329 1 9c9f 

0000000001000000 

3e2601fa20895e62 

ab8232a31d78e0fc 

62133d9330e2e86b 

0bff0085bb36e9b0  | 

25eb5fc3f8cf062 1 

0000000000800000 

58da89972266a7e3 

aeed06b9f5 1  ce37a 

5d7d6bd225890b4d 

5d09a28ee99cb585  1 

41 

ab6a20c0620d 1 c6f 

0000000000400000 

feacal7e5dd05c87 

96dc5bd6e0bl0d83 

db36baba70c3b9af 

46d9a629a0616379 

79e90dbc98f92cca 

0000000000200000 

88249b73e99c5ac0 

55a4cdc28ecf0541 

a2f5ea90c2 1 79ab4 

ab239da3e3fab21b  | 

866ecedd8072bb0e 

0000000000100000 

5f8add8784cc3 174 

7349bfc7f6461210 

7047 0a07  cb34e 1 09 

9331573 af5067b09  i 

44 

8b54536f2f3e64a8 

0000000000080000 

cd8dc942ae2bb 175 

90b4544c9e6ad23b 

65961 0094ab3 824e 

3 1 33eeddd4f2ffec  | 

45 

ea51d3975595b86b 

0000000000040000 

cf8442863e68e644 

2d7e77de47d0dad4 

26e6223634c857a3 

408e7d58ba623208 

46 

caffc6ac4542de3 1 

0000000000020000 

16952dc89c0acd65 

b87887b6dddaab6f 

ddd0a647be9604 1 f 

0e5b54a5  a9cfbed  1 

47 

8dd45a2ddf90796c 

0000000000010000 

8a4fca2b00c49807 

8fdec  1 977d446e54 

363219d8cec5a9f3 

b87 5b2ffa6fea  1 46  j 

48 

1029d55e880ec2d0 

0000000000008000 

b40225aeal21c8d3 

aedc 1 e02bd0995 7 1 

bb5  7 1 0f9dc8dde46 

Ial90ba501 176f51  j 

49 

5d86cb23639dbea9 

0000000000004000 

711c066cl3222flc 

1 404bcbe4 1 ce6aa 1 

ae527ed31 Ia25ea2 

863541 107db40094 

Idlca853ae7c0c5f 

0000000000002000 

4fb69c832db68026 

83804dddlb5cd4fd 

af94496800a32656 

0d3834749def9e7a  ! 

ce332329248f3228 

0000000000001000 

f24c7444edf  1  c394 

5f54383a55d6198a 

c55d7544aleae274 

b601d210b21d541b 

8405dlabe24fb942 

0000000000000800 

6be457abc511e87c 

flc2172a084f656f 

9ba49db25 1748896 

50d294abb 1 2450bb 

e643d7 8090ca4207 

0000000000000400 

6136fefebb0c8118 

88b53f4066285776 

3d 1 9267 de9c 1 2e7b 

0 1 Oa 1 b96b90 1 7a94 

48221b9937748a23 

0000000000000200 

d23a8dfe39c98883 

4dc3blbc755eb684 

5ce84637532650c8 

1 5  acb37fde2a095 a  i 

dd7c0bbd61fafd54 

0000000000000100 

afe2e34f009924e2 

45c93fbf9ea29104 

d43941ab72932bb0 

7bd2597948ce5bc8  j 

2fbc291a570db5c4 

0000000000000080 

0adcf552ec  1 754c6 

e5c336ae5360d967 

8 1 6c454ba7 894865 

b3f30f939f9bc4db  ' 

57 

e07  c30d7  e4e26e 1 2 

0000000000000040 

c06e80c5238135bb 

31clcl914e9d7278 

74bc744fl0f63889 

d30cbd5808d8e0ef  i 

279 


ROUND 

PLAINTEXT1 

CIPHERTEXT1 

PLAINTEXT2 

CIPHERTEXT2 

PLAINTEXT3 

CIPHERTEXT3 

0953e2258e8e90al 

0000000000000020 

0912754e7c42f637 

ca  1  dadOfa  1978258 

3d2565d9bf62cdbd 

b30b208b6ccecada  ! 

5b7 1  Ibc4ceebf2ee 

0000000000000010 

b4f82967 c65 8adb8 

afd29a3fbal  8602a 

a2e 1 3c570 1 a60444 

027d03f040 1 6c3c2  ! 

cc083fle6d9e85f6 

0000000000000008 

006fa  1 2a7 96ac4d3 

c291dff5ec01e8b3 

cbe2873fd6f63048 

c0950b7f3clbfaca  j 

61 

d2fd8867d50d2dfe 

0000000000000004 

1 a4a3646 1 6460d44 

649 1 ba623 1 49f3d0 

cc6adceflbe975ef 

2e475e2153dlc64a 

06e7ea22ce92708f 

0000000000000002 

G07b5bcd44f3d8d 

87c6963b33be0353 

99 1  d77 0b2bf05 1  dc 

f8f7ded629f3fc48  | 

1 66b40b44aba4bd6 

0000000000000001 

9cblc3932c005c49 

4fce2baa2cd647 d3 

17d8e9c374d 14494 

776bdle53efld7d6  i 

280 


Table  A.7  Resulting  Ciphertext  from  the  Initial  Permutation  Known  Answer  Test  for  TCBC-I  Mode  of  Operation 

(Decryption  Process) 


(NOTE  -  KEY1  =  KEY2  =  KEY3  01  01  01  01  01  01  01  01 
IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 


CIPHERTEXTS 


8000000000000000 


PLAINTEXT! 


95f8a5e5dd31d900 


PLAINTEXT/ 


c0adf0b088648c55 


PLAINTEXT3 


3f520f4f779b73aa 


4000000000000000 


dd7f!21ca5015619 


882a4749f054034c 


77d5b8b60fabfcb3 


2000000000000000 


2e8653104f3834ea 


7bd3 0645 1 a6d6 1 bf 


842cf9bae5929e40 


1000000000000000 


4bd388ff6cd81d4f 


1 e86ddaa398d48 1 a 


el792255c672b7e5 


0800000000000000 


20b9e767b2fbl456 


75ecb232e7ae4 1 03 


8a  1 34dcd  1 85  lbefc 


0400000000000000 


55579380d77138ef 


0002c6d5 82246dba  fffd392a7ddb9245 


0200000000000000 


6cc5defaaf04512f 


39908baffa5 1047a 


c66f/  45005 aefb85 


0100000000000000 


0d9f279ba5d87260 


58ca72cef08d2735 


a7358d310r72d8ca 


0080000000000000 


d903 lb027 Ibd5a0a 


8c564e5724e80f5f 


7  3  a9b 1 a8db 1 7fOaO 


0040000000000000 


424250b37c3dd95 1 


171705e629688c04 


e8e8fal9d69773fb 


0020000000000000 


b8061b7ecd9a21e5 


ed534e2b98cf74b0 


12acbld467308b4f 


0010000000000000 


f  1 5d0f286b65bd28 


a4085a7d3e30e87d 


5br7a582clcfl782 


0008000000000000 


0004000000000000 


add0cc8d6e5deba 1 


f88599d83b08bef4 


077a6627c4f7410b 


e6d5f82752ad63dl 


b380ad7207f83684 


4c7f528df807c97b 


0002000000000000 


ecbfe3bd3f59 1  a5e 


b9eab6e86a0c4f0b 


461549 1 795r3b0f4 


0001000000000000 


0000800000000000 


r356834379dl65cd 


a603d6 162c  843098 


59fc29e9d37bcf67 


2b9f982f2003 7 fa9 


7ecacd7a75562afc  813532858aa9d503 


0000400000000000 


0000200000000000 


889de068al 6f0be6 


ddc8b53df43a5eb3 


2237 4ac20bc5  a 1 4c 


el9e275d846al298 


b4cb7208d 1 3f47cd 


4b348dl72ec0b832 


0000100000000000 


329a8ed523d7 1 aec 


67 cfdb807 6824fb9  ||  9830247f897db046 


0000080000000000 


e7fce22557d23c97 


b2a9b770028769c2 


4d56488ffd78963d 


0000040000000000 


0000020000000000 


0000010000000000 


12a9f5817ff2d65d 


47fca0d42aa78308 


b8035f2bd5587cf7 


a484c3  ad3  8dc9c 1 9 


f 1 d 1 96f86d89c94c 


0e2e6907927636b3 


514aa020b45207d8 


II  fbe00a8alef8ad72  II  aeb55fdf4badf827 


ROUND 


CIPHERTEXTS 


0000008000000000 


PLAINTEXT! 


750d079407521363 


PLAINTEXT/ 


205852c 1 52074636 


PLAINTEXT3 


dfa7ad3eadf8b9c9 


0000004000000000 


64feed9c724c2faf 


3 1  abb8c927 1 97afa 


ce544736d8e68505 


0000002000000000 


f02b263b328e2b60 


a57e736e67  db7  e  3  5 


5a8 1 8c9 198248 lea 


0000001000000000 


9d64555a9al0b852 


c83 1 000fcf45ed07 


37  cefff030ba  1 2f8 


0000000800000000 


0000000400000000 


d  1 06ff0bed5  25  5d7 


845 3 aa5eb8070082 


7bac55al47f8ff7d 


el652c6b!38c64a5 


b430793e46d931f0 


4bcf86clb926ce0f 


0000000200000000 


0000000100000000 


e4285 811 86ec8f46 


b 1 7 d0d44d3b9da 1 3 


4e8212bb2c4625ec 


aeb5f5ede22d  1  a36 


fbe0a0b8b77 84163 


04 1  f5f474887b09c 


0000000080000000 


e943d7568aec0c5c 


bcl68203dfb95909 


43e97dfc2046a6f6 


0000000040000000 


df9  8c 827 6f54b04b 


8acd9d723 aO 1 e5 1 e 


7532628dc5fe  1  ae  1 


0000000020000000 


bl60e4680f6c696f 


e435bl3d5a393c3a 


Ibca4ec2a5c6c3c5 


50adf8 1 ad736e0 1 2 


0000000010000000 


fa0752b07d9c4ab8 


af5207e528c9 1  fed 


0000000008000000 


ca3a2b036dbc8502 


9f6f7e5638e9d057 


60908  Ia9c7162fa8 


f4a3affbdllf3165 


0000000004000000 


5e09055 1 7bb59bcf 


0b5c50042ee0ce9a 


0000000002000000 


8 1 4eeb3b9 1 d907 26 


d4 1 bbe6ec48c527 3 


2be44 1913b73ad8c 


0000000001000000 


4d49db 153291 9c9f 


181 c8e4067 c4c9ca 


e7e37  Ibf983b3635 


0000000000800000 


0000000000400000 


25eb5fc3f8cf062 1 


70be0a96ad9a5374 


814115695 265 ac  8b 


ab6a20c0620d 1 c61 


le3175953758493a 


01c08a6ac8a7b6c5 


0000000000200000 


79e90dbc98192cca 


2cbc58e9cdac7991 


d343a71632538660 


0000000000100000 


866ecedd8072bb0e 


d33b9b88d527ee5b 


2cc464772ad8 1 1 a4 


0000000000080000 


0000000000040000 


8b5453612De64a8 


deO  1 063 a7  a6b3 1  Id 


211el9c58594ce02 


ea51d3975595b86b 


b!0486c200c0ed3e 


401b793dll311 2c  1 


0000000000020000 


0000000000010000 


callc6ac4542de3 1 


91aa9319 10 1 7 8b64 


60556c  06ele8749b 


8dd45a2ddl90796c 


d88101788ac52c39 


277el087753ad3c6 


0000000000008000 


0000000000004000 


1029d55e880ec2d0 


45 7 c800bdd5b9785 


ba83711422a4687a 


5d86cb23639dbea9 


08d39e7636c8eblc 


172c6189c9371403 


0000000000002000 


0000000000001000 


Idlca853ae7c0c51 


48491d06fb29590a 


b7b6021904d6a615 


ce33232924813228 


9b66767c71da677d 


649989838e259882 


0000000000000800 


0000000000000400 


8405dlabe24fb942 


d 1 50841eb7 1  aec  1 7 


2eaf7bO  1 48e5 1 3e8 


e643d7 8090ca4207 


b31682d5c5911752 


4ce97d2a3a60e8ad 


0000000000000200 


0000000000000100 


0000000000000080 


48221b9937748a23 


1  d774ecc622 1  df7  6 


e288bl339dde2089 


dd7  c0bbd6 1  lald54 


88295ee834ala801 


77d6all7cb50571e 


21bc291a570db5c4  7ae97c410258e091  851683b01da7U6e 


ROUND 

CIPHERTEXTS 

PLAINTEXT1 

PLAINTEXT2 

PLAINTEXT3  1 

57 

0000000000000040 

e07  c30d7  e4e26e 1 2 

b52965 82b 1 b7 3b47 

4ad69a7d4e48c4b8  | 

58 

0000000000000020 

0953e2258e8e90al 

5c06b770dbdbc5f4 

a3f9488f24243a0b  ! 

59 

0000000000000010 

5b7 1  Ibc4ceebf2ee 

0e244e9 1 9bbea7bb 

f  1  dbb 1 6e644 15844 

60 

0000000000000008 

cc083fle6d9e85f6 

995d6a4b38cbd0a3 

66a295b4c7342f5c  I 

61 

0000000000000004 

d2fd8867d50d2dfe 

87a8dd32805878ab 

785722cd7fa78754  j 

62 

0000000000000002 

06e7ea22ce92708f 

53b2bf779bc725da 

ac4d40886438da25 

63 

0000000000000001 

1 66b40b44aba4bd6 

433el5ellfefle83 

bcclealee010el7c 

283 


Table  A.8  Values  To  Be  Used  for  the  Substitution  Table  Known  Answer  Test 


for  TCBC-I  Mode  of  Operation 


(NOTE  -  IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 

KEY 

PLAINTEXTS 

CIPHERTEXT1 

CIPHERTEXT2 

CIPHERTEXT3  : 

0 

7cal 10454ala6e57 

01ald6d039776742 

690f5b0d9a26939b 

89202f224f  1  f226 1 

585ale8d89705dl0 

1 

0131d9619dcl376e 

5cd54ca83def57da 

7a389dl0354bd271 

6dda0de99d3c86b9 

99985b67b598bd25 

2 

07al 133e4a0b2686 

0248d43806f67172 

868ebb5 lcab4599a 

82006 1 6c5 89bc7 aa 

d2ff67461377fbb5  ! 

3 

3849674c2602319e 

5 1 454b5 82ddf440a 

717887 6e0 1 f 1 9b2a 

64757292febccadl 

93bd8beeea23 1  Ofc  1 

4 

04b9 1 5ba43feb5b6 

42fd443 05 95 77fa2 

af37  fb42 1  f8c4095 

204fc6 1 23992d4e9 

6bfb4df0569cebce 

5 

01 13b970fd34f2ce 

059b5e0851cfl43a 

86a560fl0ec6d85b 

Ifa86f6f735603a3 

0be3558738c6d7c3  : 

6 

0170fl75468fb5e6 

0756d8e0774761d2 

0cd3da02002 1 dc09 

65e05d62b35aa365 

3bfc9a3f034da292  ! 

7 

43297fad38e373fe 

7625 1 4b829bf486a 

ea67 6b2cb7  db2b7  a 

95c0f9e595aec2ff 

ea9ab3585f 166586  j 

8 

07a7137045da2al6 

3bddl 19049372802 

dfd64a8 1 5caf 1 aOf 

127359c20el0e25a 

953a36ffl3a08906 

9 

04689 104c2fd3b2f 

26955f6835af609a 

5c5 1 3c9c4886c088 

b089d90f84ef0c4c 

08bd60f6f80d6fad  | 

10 

3  7  d06bb5 1 6cb75 46 

164d5e404f275232 

0a2aeeae3ff4ab77 

32bbdd67  d4e66dd6 

83  a30606fc7  8d740  | 

11 

1 f08260d 1 ac2465e 

6b056e  1 8759f5cca 

eflbf03e5dfa575a 

b4873081fdebc81d 

6445 7 99c9b7 01694 

12 

58402364 laba6 176 

004bd6ef09 176062 

88bf0db6d70dee56 

988fe2e8e  1 755e78 

lei  fdd8660a75bb5 

13 

0258161 64629b007 

480d39006ee762f2 

alf9915541020b56 

ee6c0febb2 1 2b2 1 8 

60bae59c5 1767394  j 

14 

49793ebc79b3258f 

437540c8698f3cfa 

6fbf  1  c  afcffd0556 

c03  adc2b6aa85b5b 

826ec7e02f486885  ! 

15 

4fb05el515ab73a7 

072d43a077075292 

2f22e49bab7ca  1  ac 

096a4136e0f65f76 

9e30377b7a39d5d3 

16 

49e95d6d4ca229bf 

02fe557781 17fl2a 

5a6b6 1 2cc26cce4a 

bf4da6aa59ed575 1 

64b77306321a932c 

17 

018310dc409b26d6 

Id9d5c5018f728c2 

5f4c03 8ed 1 2b2e4 1 

aab93390e 1 3d3bb3 

3bl7daff733fcfb0  ! 

18 

Ic587flcl3924fef 

305532286d6f295a 

63fac0d034d9f793 

db3c4 1 06c5db5648 

7f382 1 5d73b0ee62 
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Table  A.9  Resulting  Ciphertext  from  the  Variable  TEXT  Known  Answer  Test 

for  TCFB-P  and  TOFB-I  Modes  of  Operation 

(NOTE  -  TEXT  =  00  00  00  00  00  00  00  00 


IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


RND 

PLAINTEXT  1  ®  IV 1 

CIPHERTEXT  1 

PLAINTEXT2  ®  IV2 

CIPHERTEXT2 

PLAINTEXT3  ®  IV3 

CIPHERTEXT3 

i  o 

8000000000000000 

95f8a5e5dd31d900 

d555555555555555 

f7552ab6cb2Ie2bc 

2aaaaaaaaaaaaaaa 

5a48d3de869557fd 

i  1 

4000000000000000 

dd7fl21ca50156I9 

9555555555555555 

0c783d97d0dbf51a 

eaaaaaaaaaaaaaaa 

fl5ee2019a5b547c 

i  2 

2000000000000000 

2e8653104f3834ea 

7555555555555555 

05b865ale49edI09 

caaaaaaaaaaaaaaa 

f925b68465b6078c 

!  3 

1000000000000000 

4bd3  8  8ff6cd8 1  d4f 

6555555555555555 

9e5 1 1 52dbce90b02 

baaaaaaaaaaaaaaa 

f6089ca9b7227 65c 

4 

0800000000000000 

20b9e7 67b2fb 1456 

5d55555555555555 

c39I93d42381b313 

b2aaaaaaaaaaaaaa 

4f  1  b 8 03 6d44 1  af95  i 

i  5 

0400000000000000 

55579380d77138ef 

5955555555555555 

e293394891554b68 

aeaaaaaaaaaaaaaa 

450891 861 80bd59 I 

!  6 

0200000000000000 

6cc5defaaf045 12f 

5755555555555555 

I359f4d663a3209c 

acaaaaaaaaaaaaaa 

d86dd807085fa8e6  j 

:  7 

0100000000000000 

0d9f279ba5d87260 

5655555555555555 

0d0f03e8f8594a66 

abaaaaaaaaaaaaaa 

d27eb94e56c3172a 

:  8 

0080000000000000 

d903 1 b027 1 bd5a0a 

55d5555555555555 

4334b5felb7f5320 

ab2aaaaaaaaaaaaa 

d6ad42065e3 1 bdb 1 

i  9 

0040000000000000 

424250b37c3dd95 1 

5595555555555555 

9484c I c29b62c4 I e 

aaeaaaaaaaaaaaaa 

f54f2bd8e2eb2bc6 

i  10 

0020000000000000 

b8061b7ecd9a21e5 

5575555555555555 

c8eb2e340855325b 

aacaaaaaaaaaaaaa 

6cf8932328c7e49b 
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i  RND 

PLAINTEXT  1  ®  IV 1 

CIPHERTEXT  1 

PLAINTEXT2  ®  IV2 

CIPHERTEXT2 

PLAINTEXT3  ®  IV3 

CIPHERTEXT3 

!  n 

0010000000000000 

fl5d0f286b65bd28 

5565555555555555 

e88a676ef848e6dl 

aabaaaaaaaaaaaaa 

72ea3aadb569af43 

S  12 

0008000000000000 

add0cc8d6e5debal 

555d555555555555 

be433af4c5ae0f97 

aab2aaaaaaaaaaaa 

0d7  Iecadd7a49fec 

i  13 

0004000000000000 

e6d5f82752ad63d  1 

5559555555555555 

9e32639bb9d27cc7 

aaaeaaaaaaaaaaaa 

fcl463bb9bba9el 1 

|  14 

0002000000000000 

ecbfe3bd3f591a5e 

5557555555555555 

fa5 1 0732fa87 1 094 

aaacaaaaaaaaaaaa 

3 1 568f2e0ac0d693 

15 

0001000000000000 

f356834379d 1 65cd 

5556555555555555 

9flb31571ed41078 

aaabaaaaaaaaaaaa 

fbcfc086f81 11572 

;  i6 

0000800000000000 

2b9f982f20037fa9 

5555d55555555555 

f4169ca3fc6799ed 

aaab2aaaaaaaaaaa 

d67ca5071769cafe  | 

1  17 

0000400000000000 

889de068al6f0be6 

5555955555555555 

e9a738ac85e2ca4b 

aaaaeaaaaaaaaaaa 

63fc8ec  1421 399b8 

!  18 

0000200000000000 

el9e275d846al298 

5555755555555555 

ee26a403caca387d 

aaaacaaaaaaaaaaa 

5d84b7acabb63bfb 

!  19 

0000100000000000 

329a8ed523d7 laec 

5555655555555555 

0b3f88ef87d85953 

aaaabaaaaaaaaaaa 

e3f663de44003f9b 

!  20 

0000080000000000 

e7fce22557d23c97 

55555d5555555555 

bb04e854f99f6352 

aaaab2aaaaaaaaaa 

4e5892f230b6d6d 1  I 

i  21 

0000040000000000 

12a9f5817ff2d65d 

5555595555555555 

f0881280455dec63 

aaaaaeaaaaaaaaaa 

4432allelc320e7a  | 

1  22 

0000020000000000 

a484c3  ad3  8dc9c 1 9 

5555575555555555 

8ae9dee849b46527 

aaaaacaaaaaaaaaa 

02ce2 1 a9c83ba4d6 

23 

0000010000000000 

fbe00a8a 1 ef 8ad72 

5555565555555555 

74b7d252cae558fb 

aaaaabaaaaaaaaaa 

6fdld0793clb7af2 

24 

0000008000000000 

750d079407521363 

555555d555555555 

b8b27dl286bdbb26 

aaaaab2aaaaaaaaa 

fc286fa362d8c93c 

1  25 

0000004000000000 

64feed9c7 24c2faf 

5555559555555555 

4e3dd222e292dd96 

aaaaaaeaaaaaaaaa 

e3  a7  abc  88132ad7d 

26 

0000002000000000 

f02b263b328e2b60 

5555557555555555 

a213c5c56fdcal39 

aaaaaacaaaaaaaaa 

8868d3 1 1 402 1 a027 
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i  RND 

PLAINTEXT  1  ®  IV 1 

CIPHERTEXT  1 

PLAINTEXT2  ®  IV2 

CIPHERTEXT2 

PLAINTEXT3  ®  IV3 

CIPHERTEXT3 

j  27 

0000001000000000 

9d64555a9al0b852 

5555556555555555 

05df49a56a345cf9 

aaaaaabaaaaaaaaa 

568fa34d2fc7225e 

i  28 

0000000800000000 

dl06ff0bed5255d7 

5555555d55555555 

c32c 1 9229d84e2b4 

aaaaaab2aaaaaaaa 

If81cbb9403ecc59 

1  29 

0000000400000000 

e 1 652c6b 1 3  8c64a5 

5555555955555555 

89c6e06ce6 1 64d  84 

aaaaaaaeaaaaaaaa 

edd6029a6b80a442 

i  30 

0000000200000000 

e4285  811 86ec8f46 

5555555755555555 

5924454953ad5732 

aaaaaaacaaaaaaaa 

ef9091  Ic0f9a66f3 

:  31 

0000000100000000 

aeb5f5ede22d  1  a36 

5555555655555555 

7a3el5c0953b08cc 

aaaaaaabaaaaaaaa 

9 1  f5b30f0 1 5b4a54 

32 

0000000080000000 

e943d7568aec0c5c 

55555555d5555555 

88e3dd 1 448c4e0ff 

aaaaaaab2aaaaaaa 

a5aec2896cff08e5 

i  33 

0000000040000000 

df9  8c 827 6f54b04b 

5555555595555555 

9f55ebaca42cb845 

aaaaaaaaeaaaaaaa 

97061699383bbfe0 

!  34 

0000000020000000 

b 1 60e4680f6c696f 

5555555575555555 

a5206a311e9c2515 

aaaaaaaacaaaaaaa 

08e218f2cbledel8  j 

|  35 

0000000010000000 

fa0752b07d9c4ab8 

5555555565555555 

e944c64af09dfa84 

aaaaaaaabaaaaaaa 

1 a6849edcb7 0 1 b07 

!  36 

0000000008000000 

ca3a2b036dbc8502 

555555555d555555 

af 1 2004 1 8fd37fdd 

aaaaaaaab2aaaaaa 

85480c507233c006 

37 

0000000004000000 

5e09055 1 7bb59bcf 

5555555559555555 

574a377b5al50353 

aaaaaaaaaeaaaaaa 

bcaa0b7b7b3464c5 

!  38 

0000000002000000 

8 1 4eeb3b9 1 d90726 

5555555557555555 

456al865905ed57d 

aaaaaaaaacaaaaaa 

0439f36972dc531f 

!  39 

0000000001000000 

4d49db 153291 9c9f 

5555555556555555 

8427 c42d027 a34d0 

aaaaaaaaabaaaaaa 

62133d9330e2e86b 

'  40 

0000000000800000 

25eb5fc3f8cf062 1 

5555555555d55555 

58da89972266a7e3 

aaaaaaaaab2aaaaa 

f9c2472742b5f9e8 

!  41 

0000000000400000 

ab6a20c0620d 1 c6f 

5555555555955555 

led85  8bcbc934c 1 7 

aaaaaaaaaaeaaaaa 

db36baba70c3b9af 

!  42 

0000000000200000 

79e90dbc98f92cca 

5555555555755555 

88249b73e99c5ac0 

aaaaaaaaaacaaaaa 

0758bl3e912d53cb 
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i  RND 

PLAINTEXT  1  ®  IV 1 

CIPHERTEXT  1 

PLAINTEXT2  ®  IV2 

CIPHERTEXT2 

PLAINTEXT3  ®  IV3 

CIPHERTEXT3 

43 

0000000000100000 

866ecedd8072bb0e 

5555555555655555 

6931421 2c7 a9d6b 1 

aaaaaaaaaabaaaaa 

70470a07cb34el09 

S  44 

0000000000080000 

8b54536f2f3e64a8 

55555555555d5555 

cd8dc942ae2bbl75 

aaaaaaaaaab2aaaa 

9c6ade3  a9e772c7c 

1  45 

0000000000040000 

ea51d3975595b86b 

5555555555595555 

4c0a052894ed7436 

aaaaaaaaaaaeaaaa 

26e6223634c857a3 

i  46 

0000000000020000 

caffc6ac4542de3 1 

5555555555575555 

1 6952dc  89c0acd65 

aaaaaaaaaaacaaaa 

72dfd337fel83a6d 

47 

0000000000010000 

8dd45a2ddf90796c 

5555555555565555 

92ef4c43507 11745 

aaaaaaaaaaabaaaa 

363219d8cec5a9f3 

48 

0000000000008000 

1029d55e880ec2d0 

555555555555d555 

b40225 aea 1 2 1 c  8d3 

aaaaaaaaaaab2aaa 

4bc89cl 804bcae82 

1  49 

0000000000004000 

5d86cb23639dbea9 

5555555555559555 

a9eab 1 2 1 edde0ca7 

aaaaaaaaaaaaeaaa 

ae527ed311a25ea2 

j  50 

0000000000002000 

Idlca853ae7c0c5f 

5555555555557555 

4fb69c832db68026 

aaaaaaaaaaaacaaa 

a 1 5 84c  1 024f6 1  f3d 

;  51 

0000000000001000 

ce332329248f3228 

5555555555556555 

761b3dlff06c513e 

aaaaaaaaaaaabaaa 

c55d7544aleae274 

1  52 

0000000000000800 

8405dlabe24fb942 

5555555555555d55 

6be457abc511e87c 

aaaaaaaaaaaab2aa 

aef86 1  c69fd34489 

j  53 

0000000000000400 

e643d78090ca4207 

5555555555555955 

ebb5al887blf6e3a 

aaaaaaaaaaaaaeaa 

3dl9267de9cl2e7b  , 

j  54 

0000000000000200 

48221b9937748a23 

5555555555555755 

d23a8dfe39c98883 

aaaaaaaaaaaaacaa 

ade5 1 3b3ed994800 

|  55 

0000000000000100 

dd7c0bbd61fafd54 

5555555555555655 

9f986bb8f7e6fa46 

aaaaaaaaaaaaabaa 

d43941ab72932bb0 

:  56 

0000000000000080 

2fbc291a570db5c4 

55555555555555d5 

0adcf552ecl754c6 

aaaaaaaaaaaaab2a 

7f7352dfadel3el3 

1  57 

0000000000000040 

e07c30d7e4e26el2 

5555555555555595 

6c25b868caflf7d3 

aaaaaaaaaaaaaaea 

74bc744f  1 0f63  889 

!  58 

0000000000000020 

0953e2258e8e90al 

5555555555555575 

0912754e7c42f637 

aaaaaaaaaaaaaaca 

a483f2da4099a 1 36 
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I  RND 

PLAINTEXT  1  ®  IV 1 

CIPHERTEXT  1 

PLAINTEXT2  ®  IV2 

CIPHERTEXT2 

PLAINTEXT3  ®  IV3 

CIPHERTEXT3 

59 

0000000000000010 

5b7 1  Ibc4ceebf2ee 

5555555555555565 

2fa6a76d9b83e3dd 

aaaaaaaaaaaaaaba 

a2e 1 3c570 1 a60444  1 

i  60 

0000000000000008 

cc083fle6d9e85f6 

555555555555555d 

006fal2a796ac4d3 

aaaaaaaaaaaaaab2 

bcl0a45ceedb56b3 

;  6i 

0000000000000004 

d2fd8867d50d2dfe 

5555555555555559 

6a0bd7954b5aa04d 

aaaaaaaaaaaaaaae 

cc6adceflbe975ef 

!  62 

0000000000000002 

06e7ea22ce92708f 

5555555555555557 

f307b5bcd44f3d8d 

aaaaaaaaaaaaaaac 

3dc004f9cd4a9c22 

!  63 

0000000000000001 

1 66b40b44aba4bd6 

5555555555555556 

009e8232891c8a36 

aaaaaaaaaaaaaaab 

17d8e9c374dl 4494 
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Table  A.10  Values  to  be  Used  for  the  Substitution  Table  Known  Answer  Test 


for  TCFB-P  and  TOFB-I  Modes  of  Operation 

(NOTE  -  TEXT  =  00  00  00  00  00  00  00  00) 


RND 

KEY 

IV1 

CIPHERTEXT2 

IV2 

CIPHERTEXT2 

IV3 

CIPHERTEXT3 

0 

7cal 10454ala6e57 

01ald6d039776742 

690f5b0d9a26939b 

56f72c258eccbc97 

97fclb9381f05ffa 

ac4c8 1 7 ae422 1 1 ec 

e90a65 8ca2 1 2b240 

1 

0131d9619dcl376e 

5cd54ca83def57da 

7a389dl0354bd27 1 

b22aalfd9344ad2f 

16971745 14a33238 

077ff752e89a0284 

2 1 329d25683b4606 

2 

07al 133e4a0b2686 

0248d43 806f67 172 

868ebb5 lcab4599a 

579e298d5c4bc6c7 

3c33dc00289664d0 

acf37ee2blallclc 

66477e326b77dd91 

3849674c2602319e 

5 1 454b5 82ddf440a 

7178876e01fl9b2a 

a69aa0ad8334995f 

94 1  fcf0e43  a965af 

fbeff602d889eeb4 

8d71d3da699fa6f5 

04b9 1 5ba43feb5b6 

42fd443 05 9577fa2 

af37fb421f8c4095 

98529985aeacd4f7 

Ie327e778501022a 

eda7eedb04022a4c 

9e547f92a9ad358c 

5 

01 13b970fd34f2ce 

059b5e0851cfl43a 

86a560fl0ec6d85b 

5af0b35da724698f 

637038eaaa7dl67e 

b04608b2fc7  9bee4 

6f975aa305eb7548 

6 

0170fl75468fb5e6 

0756d8e0774761d2 

0cd3da02002 1 dc09 

5cac2e35cc9cb727 

Ic7fe0ddc80d3f6e 

b201838b21f20c7c 

cad8716fc  1176297 

7 

43297fad38e373fe 

7625 1 4b829bf486a 

ea67 6b2cb7  db2b7  a 

Cb7a6a0d7fl49dbf 

4b36062823e8190f 

20cfbf62d469f3  1 4 

664e8d98d3986cfe 

8 

07a7137045da2al6 

3bdd 119049372802 

dfd64a8 1 5caf 1 aOf 

913266e59e8c7d57 

Iff289bc8e07c5f3 

e687bc3aOeld2ac 

948ab876125e7c7f 

9 

04689 104c2fd3b2f 

26955f6835af609a 

5c5 1 3c9c4886c088 

7beab4bd8b04b5ef 

1 9f7  6ad4a4 1 5b  1  c  1 

d 1 400a 1 2e05  a0b44 

75d6085dlble472d 

10 

37d06bb5 16cb7546 

164d5e404f275232 

0a2aeeae3ff4ab77 

6ba2b395a47ca787 

c7  8b293dc022c9aa 

c0f808eaf9d  1  fcdc 

6ac4da432 1 4 1 aa  1 6 

11 

1  f08260d 1 ac2465e 

6b056e  1 8759f5cca 

eflbf03e5dfa575a 

c05ac36dc  af4b2 1  f 

5469ad2a9c97bfl9 

15b018c3204a0774 

9983b852b915da86 

12 

58402364 laba6 176 

004bd6ef09 176062 

88bf0db6d70dee56 

55  a 1 2c445e6cb5b7 

77aeb7e9d51577e5 

aaf68199b3c20b0c 

fb716445fla43232 

13 

0258161 64629b007 

480d39006ee762f2 

alf9915541020b56 

9d628e55c43cb847 

08cdd6072e276e2e 

f2b7  e3  ab  1 9920d9c 

Idb44a9e6f4bd7dc 
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RND 

KEY 

IY1 

CIPHERTEXT2 

IY2 

CIPHERTEXT2 

IY3 

CIPHERTEXT3 

14 

49793ebc79b3258f 

437540c8698f3cfa 

6fbflcafcffd0556 

98ca961dbee4924f 

0aa3768ad4358b6c 

ee  1  feb7 3 1 439e7a4 

68b40c29c223 8233 

15 

4fb05el515ab73a7 

072d43a077075292 

2f22e49bab7ca  1  ac 

5c8298f5cc5ca7e7 

7fd  1 4 1 1  fd6a3 1497 

bld7ee4b21blfd3c 

dd6359e60 1 656be3 

16 

49e95d6d4ca229bf 

02fe557781 17fl2a 

5a6b6 1 2cc26cce4a 

5853 aaccd66d467 f 

1 1 6a6ae6e 1 e47270 

ada900222bc29bd4 

bl  6f4467 a4f95fd0 

17 

018310dc409b26d6 

Id9d5c5018f728c2 

5f4c03 8ed 1 2b2e4 1 

72f2bla56e4c7el7 

del Id7elc6d5797c 

c84806fac3ald36c 

9cb7  c0a87  fa2bdbe 

18 

Ic587flcl3924fef 

305532286d6f295a 

63fac0d034d9f793 

85  aa877dc2c47  eaf 

9896336cbadada37 

daffdcd3 181 9d404 

Ic5e61a81d05a5ef 
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Table  A.ll  Resulting  Ciphertext  from  the  Variable  KEY  Known  Answer  Test 

for  TCBC-I,  TCFB-P  and  TOFB-I  Modes  of  Operation 

(NOTE  -  TEXT1  =  TEXT2  =  TEXT3  =  00  00  00  00  00  00  00  00 


IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 

KEY 

C1/RESULT1 

C2/RESULT2 

C3/RESULT3  | 

0 

8001010101010101 

95a8d728 1 3daa94d 

b8bc8dbcOb24cfa9 

Ie08a515clle0del 

1 

4001010101010101 

Oeec 1487 dd  8c26d5 

badb3425df504209 

0608b0c77f0ab5 1 1  : 

2 

2001010101010101 

7adl6ffb79c45926 

34069d065 3 6cfaf8 

3d090b8509 10022e  ! 

3 

1001010101010101 

d3746294ca6a6cf3 

53edd6c7b2d8663c 

19d83418eaf8e3ab  j 

4 

0801010101010101 

809f5f873c  1  fd7  6 1 

17dld4a8731b3acd 

91da457d7el6d6a5  I 

5 

0401010101010101 

c02faffec989dlfc 

5 1 454c54f4ea8 1 7e 

6a4ec92bc50c9503 

6 

0201010101010101 

4615aald33e72fl0 

8f640c66e3ad6c5f 

al85e92b67a45257  | 

7 

0180010101010101 

2055123350c00858 

e09a8dbe2b782986 

0b7e 1 3fdbadc96aa 

8 

0140010101010101 

df3b99d6577397c8 

6ble20dlbelc25e5 

eacef886f5087ce8 

9 

0120010101010101 

31fel7369b5288c9 

d7c9edl 16a4ca5c3 

69c60fl 11 8060221 

10 

0110010101010101 

dfdd3cc64dae  1 642 

bb34b6ec92447bdc 

99547b8b947e8c44  j 
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ROUND 

KEY 

C1/RESULT1 

C2/RESULT2 

C3/RESULT3  i 

43 

0101010101014001 

14cld7clcffec79e 

0f38a59e95a70fl3 

9879dll6764dafe3  i 

44 

0101010101012001 

Ide5279dae3bed6f 

97108885fe2018ed 

154b6e3c9a2871bl  | 

45 

0101010101011001 

e941a33f85501303 

71147052540af3d8 

21397c0ec6a47e75  1 

46 

0101010101010801 

da99dbbc9a03f379 

563df95ec668d933 

dl Id4e56261716a9  | 

47 

0101010101010401 

b7  fc92f9 1  d  8e92e9 

c8003e219b996cc7 

fb258blabf89b7c4  j 

48 

0101010101010201 

ae8e5caa3ca04e85 

722fb4507 1 5fb3 1 7 

c52f5e37f39dle6f  j 

49 

0101010101010180 

9cc62df43b6eed74 

7edfaaa980158515 

e91439e9838dcc9d  | 

50 

0101010101010140 

d863dbb5c59a91a0 

82fb07d5eld5bl00 

78c2810a85028047  i 

51 

0101010101010120 

al ab2 1 90545b9 1 d7 

04f0cbaff 1 735340 

d466ec944alfe7f7  ' 

52 

0101010101010110 

087504 Ie64c570f7 

70eelae9b095db22 

2fcd9094c8d397f2 

53 

0101010101010108 

5a594528bebef  1  cc 

004dd0b91a2e7709 

80 1 8 1 b83 1 cdc8d6 1  ! 

54 

0101010101010104 

fcdb329  lde2 1  fOcO 

cab8e849e0ab0c32 

3367b  Ifbb4d2ffa7  I 

55 

0101010101010102 

869efd7f9f265a09 

451f0c33f24fb8dc 

2b74cld96cde840b  ! 
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Table  A.12  Values  To  Be  Used  for  the  Permutation  Operation  Known  Answer  Test 

for  TCBC-I,  TCFB-P  and  TOFB-I  Modes  of  Operation 

(NOTE  -  TEXT1  =  TEXT2  =  TEXT3  =  00  00  00  00  00  00  00  00 


IV 1  =  00  00  00  00  00  00  00  00 
IV2  =  55  55  55  55  55  55  55  55 
IV3  =  aa  aa  aa  aa  aa  aa  aa  aa) 


ROUND 

KEY 

C1/RESULT1 

C2/RESULT2 

C3/RESULT3 

0 

1 0469 1 3489980 131 

88d55e54f54c97b4 

23c25ab3el9b6b94 

e5b490db69b0f2ec 

I 

1007103489988020 

0c0cc00c83ea48fd 

9e7b9f655eafef5d 

2031be52988cd49e 

2 

10071034c8980120 

83bc8ef3a6570183 

948e0 1 80ec95ab6 1 

fcb4a56abf4b7b4e 

3 

1046103489988020 

df725dcad94ea2e9 

e97bb3b  1 0db9f7  00 

f627685cf879c48 1 

4 

1086911519190101 

e652b53b550be8b0 

df9e3cel44e6a0df 

373a495e2a289a9e 

5 

1086911519580101 

af527120c485cbb0 

5fc7e5405519f6fb 

5d8c63f84dc7b760 

6 

5 107b015 19580101 

0f04ce393db926d5 

4ce6c34fc99a7  e47 

43599c906eaa26af 

7 

1007b015 19190101 

c9f00ffc7 407 9067 

d59da3b97fa77d57 

3ad69f5  8d64555fd 

8 

3107915498080101 

7cfd82a593252b4e 

2c90e8dcbfd28764 

f5fec7cc3602fb9c 

9 

3107919498080101 

cb49a2f9e9 1 363e3 

e3ef  1  da5cdfe2040 

cbab42d  1 54f3248c 

10 

100791 15b9080 140 

00b588be70d23f56 

ab256e068344f3d9 

2957f7aec090659f 

296 


ROUND 

KEY 

C1/RESULT1 

C2/RESULT2 

C3/RESULT3 

27 

1004801598190108 

aed0f6ae3c25cdd8 

fc9e390a9093a7ac 

8868a98291 13d4a3 

28 

1002911598100104 

b3e35a5ee53e7b8d 

13685elb83c61eef 

Oec 1 22be6dc26c83 

29 

1002911598190104 

61c79c71921a2ef8 

Idl9adde7fb74e34 

9792ca21f5adbce6 

30 

1002911598100201 

e2f5728f0995013c 

1423db30c7el 18fb 

e5f2d4dd2f43d9d 1 

31 

1002911698100101 

Iaeac39a61f0a464 

31eed52fa33c013d 

dcf4548cf2374875 
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